Do not auto-include custom ciba request params in response

src/IdentityServer/Endpoints/Results/BackchannelAuthenticationResult.cs

@@ -71,7 +71,7 @@ public async Task WriteHttpResponse(BackchannelAuthenticationResult result, Http
                 expires_in = result.Response.ExpiresIn,
                 interval = result.Response.Interval,
 
-                Properties = result.Response.Properties
+                Custom = result.Response.Custom
             });
         }
     }
@@ -84,7 +84,7 @@ internal class SuccessResultDto
         public int interval { get; set; }
 
         [JsonExtensionData]
-        public Dictionary<string, object> Properties { get; set; }
+        public Dictionary<string, object> Custom { get; set; }
 #pragma warning restore IDE1006 // Naming Styles
     }
 

src/IdentityServer/Models/BackchannelUserLoginRequest.cs

@@ -62,8 +62,9 @@ public class BackchannelUserLoginRequest
     public ResourceValidationResult ValidatedResources { get; set; } = default!;
 
     /// <summary> 
-    /// Gets or sets a dictionary of custom properties that can pass additional
-    /// state to the notification process.
+    /// Gets or sets a dictionary of custom properties associated with this
+    /// request. These properties by default are copied from the validated
+    /// custom request parameters.
     /// </summary>
     public Dictionary<string, object> Properties { get; set; } = new();
 }

src/IdentityServer/ResponseHandling/Default/BackchannelAuthenticationResponseGenerator.cs

@@ -99,7 +99,6 @@ public virtual async Task<BackchannelAuthenticationResponse> ProcessAsync(Backch
             AuthenticationRequestId = requestId,
             ExpiresIn = request.Lifetime,
             Interval = interval,
-            Properties = validationResult.ValidatedRequest.Properties
         };
 
         await UserLoginService.SendLoginRequestAsync(new BackchannelUserLoginRequest

src/IdentityServer/ResponseHandling/Models/BackchannelAuthenticationResponse.cs

@@ -61,8 +61,10 @@ public BackchannelAuthenticationResponse(string error, string errorDescription =
     public int Interval { get; set; }
 
     /// <summary> 
-    /// Gets or sets a dictionary of custom properties that can pass additional
-    /// state in the response to the client application.
+    /// Gets or sets a dictionary of custom properties that will be included in
+    /// the response to the client. This dictionary is intended to be used to
+    /// implement extensions to CIBA that defines additional response
+    /// parameters.
     /// </summary>
-    public Dictionary<string, object> Properties { get; set; } = new();
+    public Dictionary<string, object> Custom { get; set; } = new();
 }

src/IdentityServer/Validation/Models/ValidatedBackchannelAuthenticationRequest.cs

@@ -85,8 +85,11 @@ public class ValidatedBackchannelAuthenticationRequest : ValidatedRequest
     public string? RequestObject { get; set; }
 
     /// <summary>
-    /// Gets or sets a dictionary of custom properties that can pass
-    /// additional state to the back channel authentication process.
+    /// Gets or sets a dictionary of validated custom request parameters. Custom
+    /// request parameters should be validated and added to this collection in
+    /// an <see cref="ICustomBackchannelAuthenticationValidator"/>. These
+    /// properties are persisted to the store and made available in the
+    /// backchannel authentication UI and notification services.
     /// </summary>
     public Dictionary<string, object> Properties { get; set; } = new();
 }

src/Storage/Models/BackChannelAuthenticationRequest.cs

@@ -92,7 +92,9 @@ public class BackChannelAuthenticationRequest
     public string? Description { get; set; }
 
     /// <summary>
-    /// Gets or sets a dictionary of custom properties associated with this instance.
+    /// Gets or sets a dictionary of custom properties associated with this
+    /// request. These properties by default are copied from the validated
+    /// custom request parameters.
     /// </summary>
     public Dictionary<string, object> Properties { get; set; } = new();
 }

test/IdentityServer.IntegrationTests/Endpoints/Ciba/CibaTests.cs

@@ -252,7 +252,7 @@ public async Task custom_validators_are_invoked_and_can_process_custom_input()
 
     [Fact]
     [Trait("Category", Category)]
-    public async Task custom_validator_can_add_complex_properties_that_are_passed_to_user_notification_and_client_response()
+    public async Task custom_validator_can_add_complex_properties_that_are_passed_to_user_notification_but_not_client_response()
     {
         _mockCustomBackchannelAuthenticationValidator.Thunk = ctx =>
             {
@@ -281,13 +281,12 @@ public async Task custom_validator_can_add_complex_properties_that_are_passed_to
             IdentityServerPipeline.BackchannelAuthenticationEndpoint,
             new FormUrlEncodedContent(body));
 
-        // Custom properties are flattened into the response to the client
+        // Custom request properties are not included automatically in the response to the client
         response.StatusCode.Should().Be(HttpStatusCode.OK);
         var responseContent = await response.Content.ReadAsStringAsync();
         var json = JsonSerializer.Deserialize<Dictionary<string, JsonElement>>(responseContent);
         json.Should().NotBeNull();
-        var complex = json["complex"];
-        complex.TryGetValue("nested").GetString().Should().Be("value");
+        json.Should().NotContainKey("complex");
 
         // Custom properties are passed to the notification service
         var notificationProperties = _mockCibaUserNotificationService.LoginRequest.Properties;