CIBA Flow

Client Initiated Backchannel Authentication lets a client start authentication without redirecting the user's browser through the front channel.

Prerequisites

• A client allowed to use CIBA
• A user notification or approval experience
• Polling through the token endpoint using an authentication request ID

Flow

1. The client sends a backchannel authentication request.
2. TokenIDP validates the client and target user context.
3. The user approves or rejects authentication through the configured out-of-band experience.
4. The client polls /token with the returned authentication request ID.
5. TokenIDP returns tokens when the request is approved.

Common Pitfalls

• Treating CIBA as a browser redirect flow.
• Polling too frequently.
• Not designing a clear user approval experience.

Troubleshooting

• If polling returns pending status, confirm that the user approval step has completed.
• If the request is denied, verify the client policy and user binding.