---
title: Client Initiated Backchannel Authentication (CIBA)
description: client-initiated backchannel authentication (CIBA) is an extension to OpenID Connect (OIDC) that improves the end-user experience during authentication and authorization in a federated environment.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_ciba
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_ciba.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: October 6, 2025
section_ids:
  ciba-authenticator: CIBA authenticator
  ciba-request-policy: CIBA request policy
---

# Client Initiated Backchannel Authentication (CIBA)

client-initiated backchannel authentication (CIBA) *(tooltip: \<div class="paragraph">
\<p>An extension to OpenID Connect defining a new OAuth grant type where user consent can be requested and granted through an out-of-band authentication flow. CIBA uses direct relying party to OpenID provider communication without redirects through the user's browser.\</p>
\</div>)* is an extension to OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">
\<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>
\</div>)* that improves the end-user experience during authentication and authorization in a federated environment.

The CIBA extension defines a new OAuth grant type where user consent can be requested through an out-of-band flow. CIBA improves user experiences, such as making an online purchase from a merchant, because it doesn't require a browser redirect to a financial institution to authorize the purchase. Instead, the user can receive a push notification sent to the financial institution's native mobile app running on the user's phone to complete the authorization. Learn more in the [OIDC CIBA specifications](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).

|   |                                                                                                                                                                                                                                                                                                                                                                                                                              |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The PingOne MFA Integration Kit includes the PingOne MFA CIBA Authenticator, which works with PingFederate's CIBA feature. Find instructions on configuring the PingOne MFA CIBA Authenticator in [Configuring a CIBA authenticator instance](https://docs.pingidentity.com/integrations/pingone/pingone_mfa_integration_kit/pf_p1_mfa_ik_configuring_a_ciba_authenticator_instance.html) in the Integrations documentation. |

A CIBA configuration consists of two components: a CIBA authenticator and a CIBA request policy.

## CIBA authenticator

A CIBA authenticator is responsible for authenticating users through an out-of-band method.

You can use the PingFederate SDK to implement a custom solution. Learn more about building and deploying a solution in the Javadoc for the `OOBAuthPlugin` interface, the `SampleEmailAuthPlugin.java` file for a sample implementation, and the [SDK developer's guide](../sdk_developers_guide/pf_sdk_developers_guide.html).

After deploying a solution, you can create one or more instance configurations of the authenticator.

Learn more in [Configuring a CIBA authenticator instance](pf_configuring_ciba_authenticator_instance.html).

## CIBA request policy

CIBA request policies process identity hints and authenticate users to receive consent. Each request policy is associated with an instance of a CIBA authenticator. The CIBA grant flow is initiated by a direct request from the client and involves an out-of-band interaction with the user to complete authentication and authorization. OAuth clients that support the CIBA grant type can be configured to use a specific CIBA request policy or a default.

Learn more in [Defining a request policy](help_cibapolicymanagementtasklet_cibapolicymanagementstate.html).

|   |                                                                                                                                                                                                                                                                                                    |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Because the CIBA extension is an OAuth grant type, you must select **CIBA** in the **Allowed Grant Types** setting to enable CIBA for the client. Once selected, you can configure more client CIBA-related settings.Learn more in [Configuring OAuth clients](pf_configuring_oauth_clients.html). |