Open in app

Sign in

Write

Sign in

People you don’t expect to operate from Area-51

Episode 02: Technical Perspective on CIBA

Vivekvinushanth Christopher
Authenticate
10 min readAug 15, 2019

--

Area 51 Concept WallPaper [source- https://wallpapercave.com/w/wp4450255]

Jarvis never wanted to keep things in secrecy. Here goes Jarvis on area 51.

Oh yeah…The people who currently working in area51 are……

Yes, it is me, Vivek, his colleagues and mentors. They are in discussion about CIBA, an alien protocol maybe.”

Stop Jarvis!

Don’t intimidate them to yearn to know about that protocol. Hey you, yes you! the reader here, do you have any idea about CIBA?

If No, stop here and have a look at what this CIBA preaches.

If you have read, welcome to the area 51 of WSO2. And this is Vivek writing off about CIBA [Client Initiated Backchannel Authentication].

Why worry about a place where we cannot peek into or thing which is kept in solitary confinement. CIBA is opened to all. Learn it and strive through the IAM arena.

Jarvis keeps your heads up. You had earned some audiences and you gave my friends a very good introduction to CIBA last week.

Now as Jarvis decoded shall we start seeing CIBA with a more technical perspective?

CIBA is simply an authentication flow which decouples authentication device and consumption device. Have a look at the article written by Jarvis. Kidding !! I wrote that but Jarvis helped me. Thanks, Jarvis.

As Jarvis clinging to the word “Decouple”, Yes CIBA decouples the authentication device and consumption device.

Fig.1. The sample CIBA flow
  • The user wants a service from a Consumption device [eg: A point of sales]. He invokes the transaction by providing his identity.
  • Consumption device started the authentication process with an “Authentication request” to the Authorization server [step 1].
  • On receiving the request, the Authorization server sends an auth_req_id to the consumption device with the response [step 2].

This auth_req_id is used for further transactions, callbacks and it is a critical element in request-response validation.

  • Now the authorization server initiates communication with end-user and request credentials and then his consent to approve the consumption device to process the request[step 3].
  • The server sends a notification to the consumption device once it receives consent and credentials[step 4].
  • Now Client requests the ID and Access token[step 5].
  • And the server sends the token [step 6].

The End Points

We need to be aware of three Endpoints. Two of them are mandatory for all flow patterns[reside on server side] and other is optional in regard to the flow and resides on the client-side.

Fig.2. Applicable Endpoints in CIBA
  1. CIBA Endpoint
  • This mandatory Endpoint accepts CIBA Authentication requests from client app of consumption device.
  • And in return send a CIBA Authentication response with required parameters or an error response if the request is not valid.

2. Token Endpoint

  • This mandatory Endpoint accepts the token request from the client app of the consumption device.
  • And in return respond with tokens or error response if the request is not valid[ie; required parameters missing, auth_req_id expired and etc.]

3. Client Notification endpoint

  • Set by the client himself.
  • Will be pinged by the Authorization Server with a notification after successful communication with the end-user at the authentication device.
  • It is optional and mandatory only if authentication flow follows Ping mode and Notification patterns are used.[see below]

There are three basic flow patterns after the authentication response and communication with the end-user.

  1. Poll Mode
Fig.3. Poll Mode CIBA Authentication Flow

The authorization server will send an authentication request to the authentication device previously registered by the Client with a unique identifier sent by Consumption device to CIBA endpoint. Once the credentials and consents are received tokens will be available to be issued. The client will continuously poll the Token Endpoint to get a response token. If the token is available tokens will be provided. Else error response will be issued.

2. Ping Mode

Fig.4. Ping Mode CIBA Authentication Flow

The authorization server will send an authentication request to the authentication device previously registered by the Client with a unique identifier sent by Consumption device to CIBA endpoint. Once the credentials and consents are received a notification is sent to Client notification endpoint about the availability of tokens. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens.

3. Push Mode

Fig.5. Push Mode CIBA Authentication Flow

The authorization server will send an authentication request to the authentication device previously registered by the Client. Once the credentials and consents are received token will be ready and Authorization server sends a notification to Consumption device, inclusive of ID and access token.

And we are aware of the Authentication device, client app operating on Consumption device and the Authorization Server. Aren’t we?

Now we will be briefly looking into the steps of the authentication flow.

1. The Authentication request

  • Authentication is initiated by the client [And that’s why it is Client-Initiated Back-channel Authentication].
  • Client needs to address the authorization server about for whom it is requesting the authentication.
  • So it is mandatory that there should be some user identity from Consumption device for which it can request an access and ID token.
  • There are three ways for a consumption device to add user identity.
  1. login_hint :

It is a hint to the Authorization server about the user for whom the Authentication flow is initiated. The value may be an email address, phone number, account number, username, etc., which identifies the end-user to the OP. The value may be directly collected from the user by the Client just before CIBA Authentication request or can be obtained in other ways.

2. login_hint_token :

A token containing information identifying the end-user for whom authentication is being requested. But the details are profile specific.

3. id_token_hint:

An ID Token previously issued to the Client is being passed back as a hint to identify the end-user for whom authentication is being requested.

Exactly one of this must be used. Invalid request otherwise.

Other Authentication Request parameters:

  • Scope
  • ACR values
  • User-code
  • Binding message
Fig.6. Binding Message in Authentication and Consumption device
  • Requested expiry
  • client_notification_token

Sample request

1.1 Signed Authentication Request

  • It is recommended to use signed Authentication request.
  • All request parameters are encoded as claims of the signed JWT[JSON Web Token].
  • JWT must contain all authentication request parameters.
  • The authentication request is signed with the private key of the client and verified with the public key of the client which was already with the authorization server [asymmetric signture].
  • It is mandatory that signed JWT contains these parameters.

A sample JWT with claims :

Signed Authentication Request :

1.2 Request validation

  • Authenticate client and validate for registered authentication method [poll, ping, push] for its client id.
  • If the request is signed need to verify the signature of JWT.
  • Validate the requests. If more than one hints present invalidate the request
  • Validate for hint and checks if it corresponds to valid-user

2. Authentication Response

  • Once the request is successfully validated, the Authorization server responds with “200 OK” indicating that the authorization request has been accepted.
  • And Authorization server sends an Authorization response.
  • If failed invalidation, the response message is sent with error_message and error_code. We can see them later in detail.

Parameters of the Authentication Response

  1. auth_req_id :

2. expires_in

3. Interval

Sample response

2.1 Response Validation

If the Client app of the consumption device received “200 OK”, then it should

  1. Validate for the presence of all parameters. Especially, auth_req_id which is very critical for any further interactions.
  2. Should clean up all expired authentication responses.

3. Communication

  • Now OP(OpenId provider-Authorization server) communicates with the end-user.
  • This communication step is out of the scope of the specification of CIBA.
  • We need to choose a better option to implement.
  • Some sample communication:
  1. End-user installs the client app in mobile[Authentication device]. Then he registers to the Authorization server with user identity and appid. Whence authentication is needed, appid of given user identity is classified and pushed a notification as a request for consent and credentials.
  2. Authorization server releases an app of its own, where a user can register with his identity and app id. For any registered client app, if a user needs a service at consumption device, client app in consumption device sends user identity [hints] to the Authorization Server and Authorization server searches for appid of the particular user identifier and push a notification to the authentication device of the particular user. Then he authenticates.

4. Notification in Push

In “Push” mode, once the consent and credentials are obtained by the Authorization server, Server creates an ID and access tokens and send a notification to client_notification_endpoint inclusive of ID and access tokens.

client_notification_token is a mandatory parameter in authentication request if the prefered [registered] flow is push or ping

5. Notification in Ping

  • Notification in “Ping” mode is a mere notification to the client.
  • Once the credentials and consents are received from an authentication device, the server will be ready to issue ID and access token. So it sends a notification to the Consumption device. To be specific, send a notification to Client Notification Endpoint.
  • Then Client app in Consumption device will initiate token request which is all similar to Polling.
  • Parameter involved : auth_req_id [mandatory]

4. Token Request

This step is common to ping/poll flow patterns.

Parameters involved.

  1. grant_type

2. auth_req_id

Sample token request

5. Token Response

Token response too, common for ping and poll

  • Token Response usually adds access token, ID token and optionally a refresh token.
  • It also includes expires_in parameter to mark the expiry time of the token provided.

Here I conclude for today. We have a lot to discuss dear.Error codes, security issues, implementation architecture and some more. Sooner the architecture blog might be up-here as Jarvis and I had several sessions on building up architecture to integrate CIBA feature into WSO2 Identity Server. Thanks to Ruwan Abeykoon [Architect — WSO2 ], Farasath Ahamed [Associate Tech-Lead -WSO2] and Senthalan Kanagalingam[Senior Software Engineer -WSO2] for helping me in figuring out an architecture. We will have a discussion soon buddy. Till then ready your architecture if interested and let’s discuss on that too. See you people.

Thanks, Jarvis.!!

See you.

References:

  1. https://www.authlete.com/news/20190213_ciba_pr/
  2. https://medium.com/@darutk/ciba-a-new-authentication-authorization-technology-in-2019-explained-by-an-implementer-d1e0ac1311b4
  3. https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.9
  4. https://blog.usejournal.com/lets-break-up-dear-decouple-ourselves-88159a86aba
Ciba
Wso2is
Identity And Access
Internships
Area 51

--

--

Vivekvinushanth Christopher
Authenticate

Written by Vivekvinushanth Christopher

229 Followers

Engineer | Software Engineer @WSO2

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams