spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard
verified publisher icon spring-projects

Add CIBA support

Open franticticktick opened this issue 9 months ago • 6 comments

Need to consider adding CIBA support.

franticticktick avatar Mar 19 '25 20:03 franticticktick

@franticticktick I'm not familiar with OpenID Connect Client Initiated Backchannel Authentication Flow. I haven't heard of it much either so I'm not sure if it's widely used.

Can you provide more details on why and how you would use this feature? Do you know of any other well known providers that have implemented this spec?

jgrandja avatar Mar 21 '25 09:03 jgrandja

Hi @jgrandja , you can see the implementation of this specification, for example, in keycloack. Personally, I think ciba is a very important flow, it can be used to authenticate a user through technical support, which is much more secure than the same otp code from SMS (and this is used very often). Okta suggests using CIBA as an implementation of SCA, for example, transaction verification. In addition, there is a certain demand for this flow among spring security users.

franticticktick avatar Mar 25 '25 10:03 franticticktick

https://github.com/spring-projects/spring-security/issues/14725#issuecomment-2755163142

kpur-sbab avatar Mar 26 '25 17:03 kpur-sbab

Thanks for the details @franticticktick.

It appears Keycloak hasn't implemented CIBA as of yet since the link you provided says the status is "Draft # 1".

I'm not convinced this capability is in widespread use as of today and it's not clear if it will be in the future.

Our goal as a framework is to provide features that will be widely used, otherwise, we're supporting code that provides value only to a limited set of users.

There are so many OIDC / OAuth2 specs out there we can't implement them all. Our team resource capability has been reduced this past year so we need to be careful what we prioritize in our releases.

As of now, there are other priorities that we need to deal with and the CIBA capability is not on our radar as of now. I'll monitor this issue and we'll see if the demand for this feature picks up.

jgrandja avatar Mar 28 '25 19:03 jgrandja

@jgrandja I don't know why the document status is draft this, but CIBA is implemented in Keycloak and you can easily find a guide on how to set it up.

I'm not convinced this capability is in widespread use as of today and it's not clear if it will be in the future.

I see that many people use this flow, and those who do not use it invent their own protocols, for example, for user interaction with technical support. And this almost always leads to unpleasant consequences, since these protocols are rarely safe. Do I consider CIBA an important flow? Yes, I think so.

franticticktick avatar Mar 31 '25 14:03 franticticktick

I agree. Another example: it's been adoptad in CAMARA [1] (see OIDC profile https://github.com/camaraproject/IdentityAndConsentManagement/blob/r0.2.0/documentation/CAMARA-Security-Interoperability.md#client-initiated-backchannel-authentication-flow) and used in OpenGateway, the GSMA initiative to expose Telco APIs [2].

@jgrandja in https://github.com/spring-projects/spring-security/issues/14725#issuecomment-2786129774 you said that it "would require a new Backchannel Authentication Endpoint and some enhancements to the Token Endpoint". Perhaps you can add some additional pointers to guide the community to build extensions on top of Spring Authorization Server. Does it make sense, or are there no "extension points" for a third party to implement this grant type?

[1] https://camaraproject.org/ [2] https://www.gsma.com/solutions-and-impact/gsma-open-gateway/

palmerabollo avatar Jul 18 '25 14:07 palmerabollo