Add a one-time authorization rule to let the user obtain authorization for a mobile app or single-page application using the Client-Initiated Back-channel Authentication (CIBA) specification.
- Click Access and then go to .
- Click + Add Rule.
In the Name field, enter a unique name, up to 64
Special characters and spaces are allowed.
- From the Type list, select One-Time Authorization.
- In the Client ID field, enter the Client ID of the OAuth client.
Select a Client Credentials Type, then provide the
information required for the selected credential type.
- Secret – In the Client Secret field, enter the secret used by the OAuth client to authenticate to the authorization server.
- Mutual TLS – From the Mutual TLS list, select a configured Key Pair to use for Mutual TLS client authentication.
- Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.
From the Login Hint Request Attribute list, select an
When a user authenticates, the value of this attribute is included in the call to the token provider. This attribute value can identify the user.
In the Scopes field, enter or select a scope to request
from the token provider. The
openidscope is automatically requested.
- Optional: Click + New Value to add additional fields.
Click Show Advanced to configure advanced options:
In the Requested Expiry (S) field, enter the
transaction lifetime in seconds.
If not specified, the value defined in the CIBA request policy is used.
- Optional: From the Timeout Rejection Handler list, select the handler to use for an expired request.
- Optional: From the Deny Rejection Handler list, select the handler to use for a denied request.
- Optional: In the Requested Expiry (S) field, enter the transaction lifetime in seconds.
- Click Save.