Add a one-time authorization rule to let the user obtain authorization for a mobile
app or single-page application using the Client-Initiated Back-channel Authentication (CIBA)
specification.
You must have a configured token provider and an
OAuth clientThe application in an OAuth framework that requests access to resources. If the request
is approved by the authorization server, the client is issued an access token for the
resources. with the client-initiated backchannel authentication (CIBA)
An extension to OpenID Connect defining a new OAuth grant type where user consent can be
requested and granted through an out-of-band authentication flow. CIBA uses direct
relying party to OpenID provider communication without redirects through the user's
browser. grant type enabled.
-
Click Access and then go to .
-
Click + Add Rule.
-
In the Name field, enter a unique name, up to 64
characters long.
Special characters and spaces are allowed.
-
From the Type list, select One-Time
Authorization.
-
In the Client ID field, enter the Client ID of the OAuth
client.
-
Select a Client Credentials Type, then provide the
information required for the selected credential type.
- Secret – In the Client
Secret field, enter the secret used by the OAuth client to
authenticate to the authorization server.
- Mutual TLS – From the Mutual
TLS list, select a configured Key
Pair to use for Mutual TLS client authentication.
- Private Key JWT – Select this option to use
Private Key JSON web token (JWT). No additional information is
required.
-
From the Login Hint Request Attribute list, select an
attribute.
When a user authenticates, the value of this attribute is included in the
call to the token provider. This attribute value can identify the user.
- Optional:
In the Scopes field, enter or select a scope to request
from the token provider. The
openid
scope is automatically
requested.
- Optional:
Click + New Value to add additional
fields.
- Optional:
Click Show Advanced to configure advanced options:
- Optional:
In the Requested Expiry (S) field, enter the
transaction lifetime in seconds.
If not specified, the value defined in the CIBA request policy is
used.
- Optional:
From the Timeout Rejection Handler list, select
the handler to use for an expired request.
- Optional:
From the Deny Rejection Handler list, select the
handler to use for a denied request.
-
Click Save.