Configure Client-Initiated Backchannel Authentication

The Client-Initiated Backchannel Authentication (CIBA) flow is a decoupled authentication and authorization flow defined by the OpenID Foundation. You can use the CIBA flow in asynchronous workflows where the device initiating the CIBA request (the consumption device) is different from the device used by the user to authenticate (the authentication device). To configure CIBA in Auth0, you need to:

• Configure the CIBA grant type for your application
• Enable notification channel(s) for your application
• Configure the notification channel for CIBA

​

Prerequisites

Before configuring CIBA for your application, make sure you set an authentication method for your application. You can use any authenticatino method, including mTLS authentication, Private Key JWT, and Client Secret authentication, with the CIBA flow. To set the authentication method for your application, read Credential Settings.

​

Configure CIBA grant for your application

You can configure CIBA for your application with the Auth0 Dashboard or Management API. There are some restrictions on the types of clients that can use the CIBA grant type. You can only use the CIBA grant type if:

• The client is a first-party client i.e. the is_first_party property is true.
• The client is confidential with an authentication mechanism, i.e. the token_endpoint_auth_method property must not be set to none.
• The client must be OIDC conformant i.e. the oidc_conformant must be true. This is the default for all new clients.

Once you enable the CIBA grant type, the configuration settings for the notification channels available to your application will become visible.

​

Enable notification channels for your application

Once you have enabled the CIBA grant type for your application, you can configure which notification channels are enabled for the CIBA flow. If you have enabled multiple notification channels, CIBA uses the value of the requested_expiry parameter to determine which notification channel to use. The requested_expiry determines the maximum duration for which the CIBA session should be valid in seconds:

• Mobile push notifications: If you set your requested_expiry to a value of 300 seconds or lower, CIBA uses the mobile push notification channel if enabled.
• Email notifications: If you set your requested_expiry to a value between 301 and 259200 seconds (72 hours), CIBA uses the email notification channel if enabled.

​

Configure notification channel

Once you have enabled the notification channel(s) for your client application, configure the notification channel for the CIBA flow:

• Configure mobile push notifications
• Configure email notifications

​

Configure mobile push notifications

To send mobile push notifications with CIBA, you can use:

• The Auth0 Guardian app
• A custom app integrated with the Auth0 Guardian SDK

You can select which app to use when enabling Auth0 Guardian push notifications. If you want to use a custom app, you need to integrate it with the Auth0 Guardian SDK. This allows the authorizing user to approve push notification challenges initiated by the CIBA flow in your custom app. To configure mobile push notifications, make sure you:

• Enable Auth0 Guardian push notifications
• Enroll the authorizing user in MFA using push notifications

​

Enable Auth0 Guardian push notifications

Use the Auth0 Dashboard to enable the Auth0 Guardian Push Notification factor for your tenant. In the Auth0 Dashboard:

• Select Security > Multi-factor Auth.
• Enable Push Notification using Auth0 Guardian. This may require some MFA configuration settings. To learn more, read Configure Push Notifications for MFA.

• For Push Notification App, select your desired app.

• Click Save.

​

Enroll the authorizing user in MFA using push notifications

For both the Auth0 Guardian app and a custom app, you must enroll the authorizing user in MFA using push notifications. To verify if the user is enrolled in the Auth0 Dashboard, navigate to User Management > Users and click on the user: If you have set Multi-factor Authentication as always required for your tenant, users are prompted to enroll for MFA at their next login. You can also use Actions to prompt for MFA enrollment.

​

Configure email notifications

You can send email notifications with the CIBA flow. To configure email notifications with CIBA, make sure you:

• Configure your email provider
• Configure your email template to use the Asynchronous Approval template
• Ensure the authorizing user has a verified email address

​

Configure your email provider

While you can use Auth0’s built-in email provider to test email delivery in your development and test environments, you must set up your own email provider to use email notifications with CIBA in a production environment. To learn how to set up your own email provider, read Customize emails.

​

Configure your email template

To configure the Asynchronous Approval email template:

​

Ensure the authorizing user has a verified email address

To send an email notification with CIBA, the authorizing user must have a verified email address associated with their user account. To verify that the user has a verified email address using the Auth0 Dashboard:

1. Navigate to User Management > Users and click on the user.
2. Under Email, the user should have a verified email address listed.