---
title: Adding one-time authorization rules
description: Add a one-time authorization rule to let the user obtain authorization for a mobile app or single-page application using the Client-Initiated Back-channel Authentication (CIBA) specification.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_adding_one_time_authz_rules
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_adding_one_time_authz_rules.html
revdate: February 6, 2023
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  choose-from: Choose from:
---

# Adding one-time authorization rules

Add a one-time authorization rule to let the user obtain authorization for a mobile app or single-page application using the Client-Initiated Back-channel Authentication (CIBA) specification.

## Before you begin

You must have a configured token provider and an OAuth client *(tooltip: \<div class="paragraph">
\<p>The application in an OAuth framework that requests access to resources. If the request is approved by the authorization server, the client is issued an access token for the resources.\</p>
\</div>)* with the client-initiated backchannel authentication (CIBA) *(tooltip: \<div class="paragraph">
\<p>An extension to OpenID Connect defining a new OAuth grant type where user consent can be requested and granted through an out-of-band authentication flow. CIBA uses direct relying party to OpenID provider communication without redirects through the user's browser.\</p>
\</div>)* grant type enabled.

## Steps

1. Click **Access**, then go to **Rules > Rules**.

2. Click **[icon: plus, set=fa]Add Rule**.

3. In the **Name** field, enter a unique name, up to 64 characters long.

   Special characters and spaces are allowed.

4. From the **Type** list, select **One-Time Authorization**.

5. In the **Client ID** field, enter the Client ID of the OAuth client.

6. Select a **Client Credentials Type**, then provide the information required for the selected credential type.

   ### Choose from:

   * **Secret** – In the **Client Secret** field, enter the secret used by the OAuth client to authenticate to the authorization server.

   * **Mutual TLS** – From the **Mutual TLS** list, select a configured **Key Pair** to use for Mutual TLS client authentication.

   * **Private Key JWT** – Select this option to use Private Key JSON web token (JWT). No additional information is required.

7. From the **Login Hint Request Attribute** list, select an attribute.

   When a user authenticates, the value of this attribute is included in the call to the token provider. This attribute value can identify the user.

8. **Optional:** In the **Scopes** field, enter or select a scope to request from the token provider. The `openid` scope is automatically requested.

   1. **Optional:** Click **[icon: plus, set=fa]New Value** to add additional fields.

9. **Optional:** Click **Show Advanced** to configure advanced options:

   1. **Optional:** In the **Requested Expiry (S)** field, enter the transaction lifetime in seconds.

      If not specified, the value defined in the CIBA request policy is used.

   2. **Optional:** From the **Timeout Rejection Handler** list, select the handler to use for an expired request.

   3. **Optional:** From the **Deny Rejection Handler** list, select the handler to use for a denied request.

10. Click **Save**.