Skip to content

Add CIBA support #1938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
franticticktick opened this issue Mar 19, 2025 · 5 comments
Open

Add CIBA support #1938

franticticktick opened this issue Mar 19, 2025 · 5 comments
Labels
status: on-hold We can't start working on this issue yet type: enhancement A general enhancement

Comments

@franticticktick
Copy link
Contributor

Need to consider adding CIBA support.
@franticticktick franticticktick added the type: enhancement A general enhancement label Mar 19, 2025
@jgrandja
Copy link
Collaborator

@franticticktick I'm not familiar with OpenID Connect Client Initiated Backchannel Authentication Flow. I haven't heard of it much either so I'm not sure if it's widely used.

Can you provide more details on why and how you would use this feature? Do you know of any other well known providers that have implemented this spec?

@franticticktick
Copy link
Contributor Author

Hi @jgrandja , you can see the implementation of this specification, for example, in keycloack. Personally, I think ciba is a very important flow, it can be used to authenticate a user through technical support, which is much more secure than the same otp code from SMS (and this is used very often). Okta suggests using CIBA as an implementation of SCA, for example, transaction verification.
In addition, there is a certain demand for this flow among spring security users.

@kpur-sbab
Copy link

spring-projects/spring-security#14725 (comment)

@jgrandja
Copy link
Collaborator

Thanks for the details @franticticktick.

It appears Keycloak hasn't implemented CIBA as of yet since the link you provided says the status is "Draft # 1".

I'm not convinced this capability is in widespread use as of today and it's not clear if it will be in the future.

Our goal as a framework is to provide features that will be widely used, otherwise, we're supporting code that provides value only to a limited set of users.

There are so many OIDC / OAuth2 specs out there we can't implement them all. Our team resource capability has been reduced this past year so we need to be careful what we prioritize in our releases.

As of now, there are other priorities that we need to deal with and the CIBA capability is not on our radar as of now. I'll monitor this issue and we'll see if the demand for this feature picks up.

@jgrandja jgrandja added the status: on-hold We can't start working on this issue yet label Mar 28, 2025
@jgrandja jgrandja mentioned this issue Mar 28, 2025
Open
@franticticktick
Copy link
Contributor Author

@jgrandja I don't know why the document status is draft this, but CIBA is implemented in Keycloak and you can easily find a guide on how to set it up.

I'm not convinced this capability is in widespread use as of today and it's not clear if it will be in the future.

I see that many people use this flow, and those who do not use it invent their own protocols, for example, for user interaction with technical support. And this almost always leads to unpleasant consequences, since these protocols are rarely safe. Do I consider CIBA an important flow? Yes, I think so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: on-hold We can't start working on this issue yet type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jgrandja @franticticktick @kpur-sbab