[Design Discussion] Client-Initiated Backchannel Authentication (CIBA)

[sahandilshan]

Related Feature Issue

#2739

Problem Summary

ThunderID needs to support CIBA (OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0) to enable decoupled authentication scenarios. CIBA allows a client to initiate authentication of a user without browser redirects — the AS notifies the user on a separate device/channel, the user authenticates there, and the client retrieves tokens via polling. This is essential for call centers, POS, IoT, ambient agent authentication, and emerging agent-to-agent workflows.

High-Level Approach

• Add a backchannel authentication endpoint (/oauth2/bc-authorize) that accepts client-initiated auth requests
• Introduce a flow-based grant pattern for CIBA: ClientValidator → IdentifyingExecutor (Grant Identifier) → CIBAGrantExecutor — this is new to ThunderID; existing grants are procedural and will adopt this pattern in future
• CIBAGrantExecutor orchestrates two mandatory sub-flows:
  • Notification Dispatch — resolve the best channel to reach the user (SMS/Email) and send the authentication request notification
  • Async User Auth — the user-side authentication journey on their device: Authentication Flow → Authorization Flow → Auth Assertion
• Token delivery via poll mode: client polls /token with auth_req_id, AS responds authorization_pending until user completes
• Async state management via RuntimeDB: auth_req_id links the client-side request to the user-side authentication, with TTL-based expiry
• Extend the token endpoint to handle grant_type=urn:openid:params:grant-type:ciba
• Extend DCR to accept CIBA-specific client metadata

Architecture Overview

Client                          ThunderID AS                        User's Device
  │                                 │                                    │
  │  POST /oauth2/bc-authorize      │                                    │
  │  (client auth + login_hint)     │                                    │
  │────────────────────────────────▶│                                    │
  │                                 │                                    │
  │                          ┌──────┴──────────┐                         │
  │                          │ ClientValidator  │                         │
  │                          └──────┬──────────┘                         │
  │                                 │                                    │
  │                          ┌──────┴──────────┐                         │
  │                          │ Identifying      │                         │
  │                          │ Executor (Grant  │                         │
  │                          │ Identifier)      │                         │
  │                          └──────┬──────────┘                         │
  │                                 │                                    │
  │                          ┌──────┴──────────┐                         │
  │                          │ CIBAGrant       │                         │
  │                          │ Executor        │                         │
  │                          └──────┬──────────┘                         │
  │                                 │                                    │
  │                                 │  Sub-flow 1: Notification Dispatch │
  │                                 │  ┌─────────────────────┐           │
  │                                 ├──│ Channel Resolution   │           │
  │                                 │  │ + SMS/Email Executor │──────────▶│ Notification
  │                                 │  └─────────────────────┘           │
  │                                 │                                    │
  │  ◀──── auth_req_id ────────────│  Store pending state               │
  │        + interval/expiry        │  in RuntimeDB                      │
  │                                 │                                    │
  │                                 │  Sub-flow 2: Async User Auth       │
  │                                 │            ┌───────────────────────┐│
  │                                 │            │ Authentication Flow  ││
  │                                 │            │  (Passkey/OTP/PIN/   ││
  │                                 │            │   approve-deny)      ││
  │                                 │            │         │            ││
  │                                 │            │         ▼            ││
  │                                 │            │ Authorization Flow   ││
  │                                 │            │  (scope/permission   ││
  │                                 │            │   validation)        ││
  │                                 │            │         │            ││
  │                                 │            │         ▼            ││
  │                                 │            │ Auth Assertion       ││
  │                                 │            │  (write approval to  ││
  │                                 │            │   shared state)      ││
  │                                 │            └───────────┬──────────┘│
  │                                 │                        │           │
  │                                 │  ◀── approval signal ──┘           │
  │                                 │  auth_req_id → approved            │
  │                                 │                                    │
  │  POST /oauth2/token             │                                    │
  │  grant_type=ciba                │                                    │
  │  auth_req_id=xxx               │                                    │
  │────────────────────────────────▶│                                    │
  │                                 │                                    │
  │  ◀── access_token + id_token ──│                                    │
  │                                 │                                    │

Flow Pattern (CIBA-specific — existing grants do not follow this pattern yet):

Note: ThunderID's current OAuth grants (authorization code, client credentials, etc.) are implemented as procedural code, not as flow-based graphs. CIBA is the first grant to adopt a flow-oriented internal design. The intent is that other grants will migrate to this same pattern in the future, making CIBA the reference implementation for flow-based OAuth grants.

START → ClientValidator → IdentifyingExecutor (Grant Identifier) → CIBAGrantExecutor
                                                                       │
                                                                mandatory sub-flows:
                                                                  • Notification Dispatch
                                                                  • Async User Auth
                                                                       │
                                                                  ┌────┴────┐
                                                                  │ Async   │
                                                                  │ User    │
                                                                  │ Auth    │
                                                                  ├─────────┤
                                                                  │ • Authentication Flow
                                                                  │ • Authorization Flow
                                                                  │ • Auth Assertion
                                                                  └────┬────┘
                                                                       │
                                                                 Token Endpoint
                                                                 (poll mode)
                                                                       │
                                                                      END

Components:

• ClientValidator — validates client credentials and CIBA-specific request parameters
• IdentifyingExecutor (Grant Identifier) — resolves user from login_hint / login_hint_token / id_token_hint
• CIBAGrantExecutor — orchestrates the backchannel auth request, manages async state, delegates to sub-flows
• Notification Dispatch (sub-flow) — channel resolution + notification delivery via existing SMS/Email executors
• Async User Auth (sub-flow) — user-side journey: Authentication Flow → Authorization Flow → Auth Assertion
• Backchannel Auth Endpoint (/oauth2/bc-authorize) — new endpoint accepting CIBA requests
• Token Endpoint Extension — handle grant_type=urn:openid:params:grant-type:ciba, read async state by auth_req_id
• RuntimeDB State — auth_req_id → pending/approved/denied state with TTL
• DCR Extension — CIBA client metadata fields

Async State Lifecycle:

CIBAGrantExecutor creates:
  auth_req_id → { status: pending, client_id, scope, binding_message, expiry, interval }
                    ↓
Async User Auth completes (Auth Assertion):
  auth_req_id → { status: approved/denied, authenticated_user, consented_scopes }
                    ↓
Client polls /token:
  status=pending  → 400 authorization_pending
  status=denied   → 403 access_denied
  status=approved → 200 { access_token, id_token, refresh_token }
                    ↓
  auth_req_id → { status: consumed } → TTL expiry → deleted

Security Considerations

• Client authentication is mandatory — CIBA spec requires confidential clients; public clients must not use CIBA
• Binding message — display to user on their device so they can verify the request matches what the client claims (prevents phishing)
• Rate limiting — backchannel endpoint must be rate-limited to prevent auth request flooding
• auth_req_id entropy — must be cryptographically random, unguessable, and single-use
• TTL enforcement — pending auth requests must expire (configurable requested_expiry, capped by AS policy)
• Polling interval — enforce interval parameter; return slow_down error if client polls too fast
• User consent — must be collected on the user's device as part of the Async User Auth sub-flow (Authorization Flow), not assumed
• Token binding — issued tokens must be bound to the original CIBA request scope and resource

Impacted Areas

• OAuth2 package (backend/internal/oauth2/) — new backchannel endpoint, token endpoint extension for CIBA grant type
• Flow Engine (backend/internal/flow/) — async flow execution support (pause/resume on external signal)
• DCR (backend/internal/oauth2/dcr/) — CIBA client metadata fields
• RuntimeDB — new table/schema for CIBA auth request state
• Notification System — channel resolution logic, integration with existing SMS/Email executors
• Discovery (/.well-known/openid-configuration) — advertise CIBA support, poll mode, supported auth methods
• Console UI — application configuration for CIBA settings (future)

Alternatives Considered

Alternative 1: Implement CIBA as standalone procedural code (like existing grants)

• Pros: Simpler, consistent with current grant implementations
• Cons: Misses the opportunity to align with the planned flow-pluggable OAuth architecture; harder to refactor later
• Decision: Use internal flow-oriented design — composable executors and sub-flows, but not yet exposed in flow builder UI

Alternative 2: Wait for "OAuth grants as pluggable flows" before implementing CIBA

• Pros: CIBA would be fully flow-based from day one
• Cons: Blocks CIBA delivery on a larger architectural change with no concrete timeline
• Decision: Implement CIBA now with flow-aware internal patterns; migrate to full flow-pluggable when that infrastructure lands

Alternative 3: Support all three modes (poll, ping, push) from the start

• Pros: Full spec compliance from day one
• Cons: Ping/push require callback infrastructure and add complexity; poll covers the majority of use cases
• Decision: Start with poll mode; add ping/push in follow-up iterations

Questions for Community Input

1. What notification channels should be supported at launch? (Push notification requires mobile SDK integration — should we start with SMS/Email only?)
2. Should CIBA be gated behind a feature flag or enabled by default once implemented?
3. How should we handle the user-side authentication UX? Dedicated CIBA approval screen in Gate, or reuse existing auth flow screens with a CIBA context banner?
4. Should requested_expiry have an AS-enforced maximum, and if so, what's a sensible default? (CIBA spec suggests 120-300 seconds)
5. For the Async User Auth sub-flow, which authentication methods should be supported initially? (Approve/deny only? Or full auth method selection — passkey, OTP, etc.?)

[sahandilshan]

Revised Implementation Approach — What We Can Actually Build Today

After investigating the current ThunderID architecture, here is a revised and concrete implementation approach for CIBA.

Key Architecture Finding

The original proposal suggested a flow-based grant executor pattern (ClientValidator → IdentifyingExecutor → CIBAGrantExecutor). However, the current OAuth grant handlers are procedural — they implement ValidateGrant() + HandleGrant() and return synchronously. The flow engine is a separate system used for authentication/registration journeys.

But — the flow engine is not tied to HTTP or browser context. It operates on context.Context, not *http.Request. The OAuth authorize endpoint already calls flowExecService.InitiateFlow() programmatically from backend code. This means we can use the flow engine internally for CIBA's notification and async auth, without needing to restructure how grants work.

Implementation: Hybrid Approach

CIBA will be implemented as a procedural grant handler that internally triggers a system flow for the notification + user authentication journey.

1. Procedural Layer (Grant Handler + Endpoints)

• New CIBAGrantHandler implementing the existing GrantHandlerInterface — handles token endpoint polling
• New /oauth2/bc-authorize endpoint — accepts the backchannel auth request, validates the client, resolves the user, creates auth_req_id state, and programmatically initiates the internal CIBA flow
• Token endpoint extension — dispatches grant_type=urn:openid:params:grant-type:ciba to CIBAGrantHandler, which reads auth_req_id state from RuntimeDB and returns tokens or authorization_pending

2. Internal System Flow (Notification + Async User Auth)

The notification dispatch and user authentication will run as an internal flow — a standard ThunderID flow graph initiated programmatically by the backchannel endpoint, not by a browser. This is an internal system flow for now, not exposed in the flow builder UI.

A new flow type CIBA will be added alongside the existing types (AUTHENTICATION, REGISTRATION, USER_ONBOARDING, RECOVERY).

Flow graph:

START → NotificationDispatch → Authentication → Authorization → AuthAssertion → END

How it executes:

Phase 1 — Server-side (triggered by /oauth2/bc-authorize)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  1. bc-authorize endpoint validates client + resolves user
  2. Creates auth_req_id → { status: pending, ... } in RuntimeDB
  3. Calls flowExecService.InitiateFlow() with RuntimeData:
     { auth_req_id, user_id, binding_message, scope, ... }
     → gets executionID
  4. Calls flowExecService.Execute(executionID)
     → NotificationDispatch executor runs:
       - Resolves notification channel (SMS/Email)
       - Sends notification with link containing executionID
       - Returns ExecComplete
     → Authentication executor is next:
       - Returns ExecUserInputRequired (flow pauses)
  5. Returns auth_req_id + interval + expiry to client

Phase 2 — User's device (triggered by notification link)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  6. User taps link → Gate opens with executionID
  7. Gate calls flowExecService.Execute(executionID, userInputs)
     → Authentication executor resumes (passkey/OTP/approve-deny)
     → Authorization executor runs (scope/consent validation)
     → AuthAssertion executor runs:
       - Writes auth_req_id → { status: approved, user, scopes } in RuntimeDB
     → Flow completes

Phase 3 — Client polls /token
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  8. Client POST /token with grant_type=ciba + auth_req_id
     → CIBAGrantHandler reads auth_req_id state from RuntimeDB
     → pending  → 400 { error: "authorization_pending" }
     → denied   → 403 { error: "access_denied" }
     → approved → 200 { access_token, id_token, ... }
     → consumed/expired → 400 { error: "expired_token" }

3. Architecture Diagram

Client                       ThunderID AS                          User's Device
  │                               │                                     │
  │  POST /oauth2/bc-authorize    │                                     │
  │  (client auth + login_hint)   │                                     │
  │──────────────────────────────▶│                                     │
  │                               │                                     │
  │                        ┌──────┴───────┐                             │
  │                        │ Validate     │  Procedural                 │
  │                        │ Client +     │  (bc-authorize              │
  │                        │ Resolve User │   endpoint)                 │
  │                        └──────┬───────┘                             │
  │                               │                                     │
  │                        ┌──────┴───────┐                             │
  │                        │ Create       │                             │
  │                        │ auth_req_id  │                             │
  │                        │ in RuntimeDB │                             │
  │                        └──────┬───────┘                             │
  │                               │                                     │
  │                        ┌──────┴───────────────────────┐             │
  │                        │ Internal CIBA Flow           │             │
  │                        │ (flowExecService.InitiateFlow│             │
  │                        │  + Execute programmatically) │             │
  │                        │                              │             │
  │                        │  START                       │             │
  │                        │    │                         │             │
  │                        │    ▼                         │             │
  │                        │  NotificationDispatch        │             │
  │                        │  (SMS/Email with link        │────────────▶│ Notification
  │                        │   containing executionID)    │             │
  │                        │    │                         │             │
  │                        │    ▼                         │             │
  │                        │  Authentication ◀────────────│─────────────│ User taps link,
  │                        │  (pauses, resumes when       │             │ Gate resumes flow
  │                        │   user interacts on device)  │             │
  │                        │    │                         │             │
  │                        │    ▼                         │             │
  │                        │  Authorization               │             │
  │                        │  (consent/scope validation)  │             │
  │                        │    │                         │             │
  │                        │    ▼                         │             │
  │                        │  AuthAssertion               │             │
  │                        │  (writes approved status     │             │
  │                        │   to auth_req_id in RuntimeDB│             │
  │                        └──────┬───────────────────────┘             │
  │                               │                                     │
  │◀── auth_req_id ──────────────│                                     │
  │    + interval + expiry        │                                     │
  │                               │                                     │
  │  POST /token (poll)           │                                     │
  │  grant_type=ciba              │                                     │
  │  auth_req_id=xxx              │                                     │
  │──────────────────────────────▶│                                     │
  │                               │                                     │
  │                        ┌──────┴───────┐                             │
  │                        │ CIBAGrant    │  Procedural                 │
  │                        │ Handler      │  (token endpoint)           │
  │                        │ (read state) │                             │
  │                        └──────┬───────┘                             │
  │                               │                                     │
  │◀── tokens / pending ─────────│                                     │

What Needs to Be Built

Component	Type	Description
FlowTypeCIBA constant	Trivial	New flow type in flow/common/constants.go
NotificationDispatch executor	New executor	Channel resolution + SMS/Email send with executionID link. Reuses existing notifSenderSvc.
CIBA flow definition	ConfigDB seed	Default CIBA flow graph: START → NotificationDispatch → Authentication → Authorization → AuthAssertion → END
/oauth2/bc-authorize endpoint	New endpoint	Client validation, user resolution, auth_req_id creation, flow initiation
CIBAGrantHandler	New grant handler	Token endpoint handler for CIBA — reads auth_req_id state, returns tokens or pending
auth_req_id RuntimeDB schema	New table/state	Pending/approved/denied state with TTL
AuthAssertion extension	Modification	Write approval status back to auth_req_id in RuntimeDB when flow completes in CIBA context
DCR extension	Modification	Accept CIBA-specific client metadata
Discovery extension	Modification	Advertise CIBA support in .well-known/openid-configuration
Gate CIBA screen	New UI	CIBA approval screen in Gate — renders when user opens the notification link

What This Approach Preserves

• Flow composability — Notification channel and auth method are configured via the flow graph, not hardcoded. Swapping SMS for push notification is a flow edit, not a code change.
• Future migration path — When OAuth grants become fully flow-based, the CIBA internal flow already exists and just needs to be wired into the grant-as-flow pattern.
• Existing executor reuse — SMS, Email, Authentication, Authorization, and AuthAssertion executors are already HTTP-agnostic and work with NodeContext. Only NotificationDispatch is new.
• No flow engine changes required — The engine already supports InitiateFlow() + Execute() programmatically, pause/resume via ExecUserInputRequired, and state persistence in RuntimeDB.

Scope for Initial Implementation

• Poll mode only — ping and push modes deferred
• SMS and Email notification channels only — push notification requires mobile SDK (future)
• Internal flow only — CIBA flow is not exposed in the Console flow builder UI initially
• Confidential clients only — as required by the CIBA spec

[ThaminduDilshan]

Our original architecture keeps flow engine/ execution separate from the protocol specific implementations. There will be pre and post layers which handles the protocol specific details. For example current OAuth integration is like this.

    OAuth pre processing           -->      Flow engine execution         -->      OAuth post processing
(authz handler + init flow)                (native authentication)               (validate + issue auth code)

When we support other protocols, ex: SAML, we can plug in the SAML pre-post layers without changing the internal flow execution layer.

Adding a new CIBA executor or CIBA flow type brings the protocol specific implementation to the flow engine and execution. This doesn't align with the original design.

CIBA is about decoupling the authentication and consumption into two devices right? The core authentication mechanism is applicable for native flow execution as well. CIBA is protocol specific which is only for OAuth authentication.

Aligning with our original design, we should implement native executors that can be used in any flow which are capable of above authentication mechanism, but not following the protocol specific pattern. Then these can be engaged for a CIBA flow as well. However this can be flagged be reinventing the wheel where we would implement a CIBA similar pattern using native flow execution. Hence better to have a discussion on this and come to a conclusion.

---

A new flow type CIBA will be added alongside the existing types (AUTHENTICATION, REGISTRATION, USER_ONBOARDING, RECOVERY).

IMO this is not the correct approach. CIBA should fall under the existing AUTHENTICATION flow type

[yudin-s]

I agree with the direction in the follow-up: keep CIBA protocol handling outside the flow engine as much as possible.

The clean boundary seems to be:

OAuth/CIBA pre-processing
  - validate client
  - validate CIBA request params
  - resolve login_hint / user_code / binding_message
  - create auth_req_id state
  - start native authentication flow

Flow engine
  - notify user
  - authenticate user
  - collect approval/denial
  - produce an authentication result

OAuth/CIBA post-processing
  - map flow result to auth_req_id status
  - token polling responses
  - issue tokens
  - enforce expiry, interval, slow_down, consumed state

That keeps the flow engine protocol-neutral while still reusing it for the user interaction.

I would avoid FlowTypeCIBA if the current architecture treats AUTHENTICATION as the generic user-auth journey. CIBA is not a different kind of human authentication; it is a different OAuth/OIDC delivery protocol around that authentication.

Instead, the reusable flow capability could be something like:

OutOfBandNotification
ApprovalPrompt
AuthAssertion

Those can be used by CIBA now, but later also by non-OAuth flows: admin approval, device pairing, transaction approval, step-up auth, etc.

For auth_req_id state, I would make the state machine explicit:

pending -> approved -> consumed
pending -> denied
pending -> expired
pending -> failed

and store:

{
  "client_id": "...",
  "user_id": "...",
  "scope": "...",
  "binding_message_hash": "...",
  "flow_execution_id": "...",
  "status": "pending",
  "expires_at": "...",
  "last_poll_at": "...",
  "poll_interval": 5
}

For defaults: expires_in around 180 seconds is a reasonable initial value, with interval around 5 seconds for poll mode. The important part is enforcing slow_down when clients poll faster than the interval.

So the implementation I would favor is: procedural CIBA grant/endpoints, existing AUTHENTICATION flow type, new protocol-neutral notification/approval executors, and a strict auth_req_id state machine.

[sahandilshan]

Converged approach - Notification Dispatch as a reusable utility flow (procedurally orchestrated for v1)

Following an internal discussion (with @ThaminduDilshan), we've refined the design to address the concern about protocol specifics leaking into the flow engine. Here's where we landed.

1. No CIBA flow type - Notification Dispatch becomes a standalone utility flow

Dropping FlowTypeCIBA entirely. Instead:

• Notification Dispatch is a separate, protocol-neutral utility flow (proposed flow category: UTILITY). Its only job is to send a notification out of ThunderID, configurable with what notification to send and which delivery method(s) (SMS/Email initially).
• It is not CIBA-specific. Any flow that needs an out-of-band notification can reuse it - magic link being an obvious candidate. CIBA is simply its first consumer.
• The actual user authentication continues to run in a normal AUTHENTICATION flow. CIBA does not introduce a new authentication type - it's the same human authentication, just reached via a different (backchannel) protocol. This directly addresses the point @ThaminduDilshan and @yudin-s raised.

This keeps the engine protocol-neutral and respects the pre-processing → flow execution → post-processing boundary @yudin-s described: protocol logic stays in the CIBA pre/post layers; the flow engine only runs protocol-neutral notification + authentication.

2. How the utility flow is invoked - two options

There are two ways to wire "dispatch the notification, then authenticate":

• Option A: in-graph (CALL node): the CIBA authentication flow begins with a CALL node into the Notification Dispatch utility flow. This is the cleanest, most uniform form, and uses the cross-flow invocation mechanism proposed in [Design Discussion] Cross-Flow Invocation via a Call Node #2639. (A UTILITY flow is a different type from AUTHENTICATION, so it fits [Design Discussion] Cross-Flow Invocation via a Call Node #2639's phase-1 different-type rule.)
• Option B: procedural: the /bc-authorize grant handler invokes the Notification Dispatch flow via InitiateFlow()- the same pattern the OAuth authorize endpoint already uses today. No new engine capability required.

3. Why we're going with Option B for v1

Option A depends on the CALL node (#2639), which is still an open design, the flow-type-category question, the per-frame context split, and the phase-2 same-type/sub-flow fork are all unresolved. Building CIBA on top of it would couple CIBA's delivery to a second in-flight design and put it on #2639's critical path.

Option B avoids that:

• No new engine dependency: reuses the existing InitiateFlow() orchestration.
• Protocol orchestration stays in the protocol layer: at /bc-authorize the grant handler sequences "create auth_req_id → dispatch notification → return auth_req_id", and at tap time it resolves auth_req_id → authentication flow. That's exactly the pre-/post-processing responsibility we agreed the protocol layer should own.
• The utility flow is identical in both options: only the invocation differs (handler call vs. CALL node). Choosing B now is not throwaway work.

4. Execution walkthrough (v1, poll mode)

The two flows start at two different times: notification-dispatch at the backchannel request, the authentication flow only when the user actually engages:

At /bc-authorize  (client is waiting synchronously):
  1. validate client, resolve user from login_hint
  2. create auth_req_id state in RuntimeDB:
       { client_id, user_id, scope, binding_message, status: pending, expiry, interval }
  3. InitiateFlow(notification-dispatch)   <- runs to completion synchronously
       -> sends notification; link carries auth_req_id
  4. return auth_req_id + interval + expiry to client

When the user taps the link  (their device, seconds-minutes later):
  5. Gate resolves auth_req_id -> the application's authentication flow
  6. InitiateFlow(authentication-flow) with context { auth_req_id, user_id, binding_message, scope }
       -> executionId is created here
       -> store auth_req_id <-> executionId
  7. user authenticates -> authorization -> auth_assert
       -> auth_assert writes back into auth_req_id state:
            { status: approved, authenticated_user, consented_scopes }

When the client polls /token  (with auth_req_id):
  8. CIBAGrantHandler reads auth_req_id state
       -> pending  -> authorization_pending
       -> approved -> issue tokens
       -> denied / expired -> corresponding error

Key points:

• auth_req_id is the durable anchor: created up front at step 2. The executionId is created lazily at tap time (step 6); that's also where the auth_req_id ↔ executionId mapping is written. The authentication flow carries auth_req_id in its context and writes its result back into that state at auth_assert, which is what the /token poll reads.
• The notification link carries auth_req_id, not an executionId: at dispatch time the auth execution doesn't exist yet. A side benefit: we never spin up a parked auth execution that the user might ignore; it's created only when someone actually taps.
• The authentication flow is triggered by the user's tap, never by /bc-authorize. The backchannel request only dispatches the notification.

5. Future - when the CALL node lands

Once #2639 is agreed and implemented, we migrate CIBA from Option B to Option A:

• Replace the grant handler's procedural InitiateFlow(notification-dispatch) with a CALL node at the start of the CIBA authentication flow definition.
• The utility flow, its config, and its executors are unchanged - a small, localized change moving the invocation from code into the graph.
• This also unlocks the broader capability: any authentication flow can then reuse Notification Dispatch in-graph, not just CIBA.

So CIBA ships now without blocking on #2639, and adopts the cleaner in-graph composition the moment that mechanism is available.

[Dilusha-Madushan]

CIBA Phase 1 Implementation — What Was Done

Related PR:

• Add CIBA poll mode authentication #3171

The goal of Phase 1 was to bring full end-to-end support for the CIBA (Client-Initiated Backchannel Authentication) poll mode into ThunderID so that a client application can initiate an authentication request from the consumption device, and then poll for the result.

The backchannel authentication endpoint (POST /oauth2/bc-authorize) was added to accept a request from a confidential client carrying a login_hint, a scope, and an optional binding_message. The endpoint validates that the client is authorised for the CIBA grant type, that exactly one hint is provided, and that the scope includes openid. It then kicks off an authentication flow server-side — resolving the user from the hint, generating a notification link, and sending it to the user via email or SMS — and returns an auth_req_id along with polling interval and expiry values to the client.

On the user's device, they follow the notification link into the Gate UI, authenticate with their password, go through a consent step that shows which permissions are being requested, and complete the flow. The flow assertion is then posted back to a shared callback endpoint (POST /oauth2/auth/callback) which marks the CIBA session as authenticated.

The client polls the token endpoint using the urn:openid:params:grant-type:ciba grant type. The poll returns authorization_pending while the user hasn't acted, slow_down if the client is polling too fast, expired_token if the request lifetime ran out, access_denied if the user denied, and finally the access token and ID token once the user has approved. Once the token is issued the session is marked as consumed so it cannot be used again.

The notification channel is fully driven by the flow definition. The default flows use email and SMS, and both support a binding_message that is shown on the notification so the user can correlate the request with the initiating device. If the client does not supply a binding message, a short unique code is derived from the auth_req_id and included automatically.

A dedicated callback package owns the single POST /oauth2/auth/callback endpoint and dispatches to either the authorization code path or the CIBA path based on a type field in the request body, so the Gate UI does not need to know which grant type is in play.

The loginHintAttribute node property was added to the identifying executor so that a flow can be configured to resolve the user by any attribute — email, username, or anything else — without hardcoding the lookup inside the CIBA service itself.

The InitiateAndExecute method was added to the flow execution service so that a caller can run a flow server-side from start to a display-only pause node in a single call, which is what CIBA needs to send the notification without waiting for any user input.

[Dilusha-Madushan]

CIBA Phase 2 — id_token_hint Support

Background

Phase 1 delivered CIBA poll mode with login_hint as the only supported user hint. CIBA Core 1.0 §7.1 defines three mutually exclusive hint parameters — login_hint, id_token_hint, and login_hint_token — of which the OP must support at least one. Phase 1 left id_token_hint and login_hint_token as stubs that return invalid_request with a clear message.

The Phase 2 plan for id_token_hint.

---

What id_token_hint Enables

The client sends a previously issued ID token as the user hint instead of a raw attribute like an email address. This is the preferred approach when:

• The user already has a session on the consumption device and the client holds a valid ID token from a prior OIDC flow.
• Pairwise subject identifiers are in use and the client does not want to send a bare email or phone number across the wire.
• The client wants to correlate the CIBA request to a concrete prior session rather than relying on a free-form string hint.

The practical effect is that the OP resolves the user from the sub claim of the provided ID token — a direct entity ID lookup — rather than searching by a user-controlled attribute value.

---

Token Validation (CIBA Service)

When the client provides id_token_hint, the backchannel authentication endpoint validates the token before passing the resolved subject to the flow:

1. Decode the JWT payload (no verification yet — base64 only).
2. iss check — the iss claim must match Thunder's configured issuer. Tokens from a foreign issuer are rejected with invalid_request. Thunder can only assert the identity of users it issued tokens for.
3. aud check — the aud claim must contain the requesting client's client_id. This prevents a token issued to client A from being used as a hint by client B.
4. sub check — the sub claim must be present and non-empty. It becomes the entity ID passed to the flow as the login_hint value.
5. Signature verification — best-effort — Thunder attempts to verify the signature using its current signing key set. If a matching key is not found (rotated key no longer in the active set), the check is skipped rather than hard-failing. This is explicitly permitted by the CIBA spec, which acknowledges that key rotation makes strict verification impractical and suggests iss + aud as a sufficient trust path.
6. exp — not checked. OIDC Core guidance states the OP should accept ID tokens even past expiry when the user is identified. Using exp as a freshness signal would break legitimate use cases (e.g. a mobile app that stores an ID token across sessions before initiating a CIBA upgrade days later).

Once validation passes, the sub value (the entity ID) is passed into the flow as the login_hint input — no different from how a raw login_hint value is passed. The CIBA service itself does not do an entity existence check; that responsibility stays in the flow.

User Resolution (Flow — IdentifyingExecutor)

The IdentifyingExecutor already maps login_hint to a user attribute via the loginHintAttribute node property (e.g. loginHintAttribute: "email" maps login_hint → search by email). For id_token_hint, the sub is a Thunder entity ID — not a user attribute — so a direct entity lookup is needed instead of an attribute search.

A new path is added to the IdentifyingExecutor: when loginHintAttribute is set to "userID", the executor calls GetEntity(loginHint) directly rather than running an attribute search. This short-cuts the indexed-attribute and JSONB query paths entirely and hits the primary key. Entity-not-found returns unknown_user_id per CIBA Core 1.0 §7.3.

The rest of the flow is unchanged: notification sending, invite verification, credential collection, consent, and the assertion callback all proceed identically regardless of which hint type initiated the request.

Flow Configuration

id_token_hint-based CIBA flows use loginHintAttribute: "userID" on the identify_user node:

{
  "id": "identify_user",
  "type": "TASK_EXECUTION",
  "properties": {
    "loginHintAttribute": "userID"
  },
  "executor": {
    "name": "IdentifyingExecutor",
    "inputs": [
      { "identifier": "login_hint", "type": "TEXT_INPUT", "required": true }
    ]
  },
  "onSuccess": "generate_invite"
}

login_hint-based flows continue to use loginHintAttribute: "email" (or whichever attribute the admin configures). The two hint types use separate flow definitions — there is no single flow that handles both, because each requires a different resolution strategy.

Mutual Exclusivity

CIBA Core 1.0 §7.1 requires exactly one hint per request. The handler already enforces this for all three hint types — zero hints and multiple hints both return invalid_request. Phase 2 removes the "not supported" stub for id_token_hint and routes it through the new validation and resolution path.

---

Error Mapping

Condition	CIBA error
id_token_hint is malformed (not a valid JWT)	invalid_request
iss does not match Thunder's issuer	invalid_request
aud does not contain the requesting client_id	invalid_request
sub missing or empty	invalid_request
Signature invalid (key found but verification fails)	invalid_request
Signature key not found (rotated key)	Signature check skipped; proceed
exp expired	Ignored
Entity not found for the resolved sub (flow error)	unknown_user_id

[sahandilshan]

Hi @Dilusha-Madushan

Regarding this point

exp — not checked. OIDC Core guidance states the OP should accept ID tokens even past expiry when the user is identified. Using exp as a freshness signal would break legitimate use cases (e.g. a mobile app that stores an ID token across sessions before initiating a CIBA upgrade days later).

Spec never mention not to check for ID token hint exp time. It say OP should, for some reasonable period, accept id_token_hints with an expiration time that has passed. So we need to do the expiry check here with a accepted period. Either we can keep this period as a deployment (OU level) config or application level config

[sahandilshan]

Also regarding skip the signature validation, spec mentioned to skip it if the OP uses a pairwise sub. That mean the sub is different for the user based on the application
sub = Hash( sector_identifier + real_user_id + Thunder's_secret_salt )
So for user X:

• client-A receives sub = "7f3a9c..."
• client-B receives sub = "b21e0d..."

Since thunder always return the same id as the sub, let's not skip this. This will introduce a security issue