Client Initiated Backchannel Authentication (CIBA) is an extension to OpenID Connect that is gaining interest by organizations that want to improve the end-user experience during authentication and authorization in a federated environment (see openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).

With this extension, user consent can be requested through an out-of-band flow. For example, CIBA improves the user experience when making an online purchase from a merchant as it does not require a browser redirect to a financial institution to authorize the purchase. Instead, the user can receive a push notification sent to the financial institution’s native mobile app running on the user’s phone to complete the authorization.

CIBA allows multiple token delivery methods. PingFederate supports poll and ping. Refer to the subsequent topics for more information about each flow.