CIBA Backchannel Authentication (v1)

CIBA Backchannel Authentication

Query POST tag:CIBA

Overview

This endpoint accepts the same parameters as the standard CIBA backchannel authentication API and returns CIBA-compliant success and error responses (not wrapped into Plumery error structures). Either login_hint, id_token_hint or login_hint_token must be provided.

Examples for App authentication error code: invalid_request, error_description:

  • “invalid user”: user does not exist
  • “missing valid device”: user has no registered devices
  • “missing valid device authentication”: user device has no authentication certificates

The login_hint parameter accepts multiple formats in order to identify the user:

  • the plain username without any prefix (e.g. login_hint = "john.doe")
  • personalId format: personalId:{countryCode}:{personalId} (e.g. login_hint = "personalId:LT:1234567890")
  • username format: username:{username} (e.g. login_hint = "username:john.doe")

The phone_number is mandatory if acr_values = "mobile-id". The phone_number must match the phone number of the user corresponding to the login_hint. If the field is provided optionally for another acr_values, the previous validation will still be performed.

The personal_id and country are mandatory if acr_values = "smart-id". They must match the personal_id and country of the user corresponding to the login_hint. If the fields are provided optionally for another acr_values, the previous validations will still be performed.

POST (/internal/v1/auth/ciba/backchannel-auth)

Request Body

Responses

200 OK

Successful CIBA backchannel authentication response as defined by OpenID Connect CIBA.

400 Bad Request

Error response for CIBA endpoints, following OAuth 2.0 and OpenID Connect error format.

401 Unauthorized

Error response for CIBA endpoints, following OAuth 2.0 and OpenID Connect error format.

500 Internal Server Error

Error response for CIBA endpoints, following OAuth 2.0 and OpenID Connect error format.

default

Error response for CIBA endpoints, following OAuth 2.0 and OpenID Connect error format.

Architecture

11 properties

Request body

scope string
required

Space-separated list of requested scopes. Must include openid.

login_hint string

Hint about the login identifier of the user.

id_token_hint string

Previously issued ID Token used as a hint about the user.

login_hint_token string

Token that contains information identifying the user.

acr_values string

Requested Authentication Context Class Reference values.

binding_message string

Human-readable message displayed to the user on the authenticating device.

requested_expiry integer <int32>

Requested expiry time for the auth_req_id in seconds.

personal_id string

Custom field with user's personal identifier. Used in case of eId provider is used for authentication.

phone_number string

Custom field with user's phone number. Used in case of eId provider is used for authentication

country string

Custom field with the user's country code. Used in case of eId provider is used for authentication

authentication_code_base_64 string

Custom base64 encoded authentication code. Used in case of eId provider is used for authentication. Should be specifically passed depending on eId provider.

3 properties

Successful CIBA backchannel authentication response as defined by OpenID Connect CIBA.

auth_req_id string
required

Authentication request identifier used later on the token endpoint.

expires_in integer <int32>
required

Lifetime in seconds of the auth_req_id.

interval integer <int32>

Minimum amount of time in seconds that the client must wait between polling requests to the token endpoint.

3 properties

Error response for CIBA endpoints, following OAuth 2.0 and OpenID Connect error format.

error string
required

Error code.

Allowed values: invalid_request invalid_client invalid_grant unauthorized_client access_denied invalid_scope authorization_pending slow_down expired_token server_error temporarily_unavailable
error_description string

Human-readable ASCII text providing additional information about the error.

error_uri string <uri>

URI identifying a human-readable web page with information about the error.

3 properties

Error response for CIBA endpoints, following OAuth 2.0 and OpenID Connect error format.

error string
required

Error code.

Allowed values: invalid_request invalid_client invalid_grant unauthorized_client access_denied invalid_scope authorization_pending slow_down expired_token server_error temporarily_unavailable
error_description string

Human-readable ASCII text providing additional information about the error.

error_uri string <uri>

URI identifying a human-readable web page with information about the error.

3 properties

Error response for CIBA endpoints, following OAuth 2.0 and OpenID Connect error format.

error string
required

Error code.

Allowed values: invalid_request invalid_client invalid_grant unauthorized_client access_denied invalid_scope authorization_pending slow_down expired_token server_error temporarily_unavailable
error_description string

Human-readable ASCII text providing additional information about the error.

error_uri string <uri>

URI identifying a human-readable web page with information about the error.

3 properties

Error response for CIBA endpoints, following OAuth 2.0 and OpenID Connect error format.

error string
required

Error code.

Allowed values: invalid_request invalid_client invalid_grant unauthorized_client access_denied invalid_scope authorization_pending slow_down expired_token server_error temporarily_unavailable
error_description string

Human-readable ASCII text providing additional information about the error.

error_uri string <uri>

URI identifying a human-readable web page with information about the error.