You must have a configured token provider and an OAuth client with the client-initiated backchannel authentication (CIBA) grant type enabled.
  1. Click Access and then go to Rules > Rules.
  2. Click + Add Rule.
  3. In the Name field, enter a unique name, up to 64 characters long.

    Special characters and spaces are allowed.

  4. From the Type list, select One-Time Authorization.
  5. In the Client ID field, enter the Client ID of the OAuth client.
  6. Select a Client Credentials Type, then provide the information required for the selected credential type.
    • Secret – In the Client Secret field, enter the secret used by the OAuth client to authenticate to the authorization server.
    • Mutual TLS – From the Mutual TLS list, select a configured Key Pair to use for Mutual TLS client authentication.
    • Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.
  7. From the Login Hint Request Attribute list, select an attribute.

    When a user authenticates, the value of this attribute is included in the call to the token provider. This attribute value can identify the user.

  8. Optional: In the Scopes field, enter or select a scope to request from the token provider. The openid scope is automatically requested.
    1. Optional: Click + New Value to add additional fields.
  9. Optional: Click Show Advanced to configure advanced options:
    1. Optional: In the Requested Expiry (S) field, enter the transaction lifetime in seconds.

      If not specified, the value defined in the CIBA request policy is used.

    2. Optional: From the Timeout Rejection Handler list, select the handler to use for an expired request.
    3. Optional: From the Deny Rejection Handler list, select the handler to use for a denied request.
  10. Click Save.