Interface CIBARequestHandler

All Superinterfaces:
Lifecycle

@ThreadSafe public interface CIBARequestHandler extends Lifecycle
Service Provider Interface (SPI) for handling Client-Initiated Backchannel Authentication (CIBA) requests.

The Connect2id server performs the following processing prior to invoking this SPI:

  • Authenticates the client and ensures it's authorised to make CIBA requests.
  • If the CIBA request is signed, validates the JWT and extracts the request parameters.
  • Ensures the client is allowed to use the type of submitted hint - login_hint_token, id_token_hint or login_hint.
  • Resolves the hint subject and for a login_hint_token also the linked native IdP app session.
  • Ensures the binding_message, if any, matches the configured legal pattern.
  • Ensures a user_code is submitted if required for the client.

The type of employed hint can be found out using CIBARequest.getHintType().

Implementations must be thread-safe.

Related specifications:

  • OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0.
  • Method Summary

    Modifier and Type
    Method
    Description
    void
    process(com.nimbusds.oauth2.sdk.token.AccessToken callbackToken, int expiresIn, com.nimbusds.oauth2.sdk.id.Subject resolvedSubject, com.nimbusds.oauth2.sdk.ciba.CIBARequest cibaRequest, HintContext hintCtx, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata, SubjectSessionContext sessionContext, InvocationContext invocationCtx)
    Handles a CIBA request that passed initial validation by the Connect2id server.

    Methods inherited from interface com.nimbusds.openid.connect.provider.spi.Lifecycle

    init, isEnabled, shutdown
  • Method Details

    • process

      void process(com.nimbusds.oauth2.sdk.token.AccessToken callbackToken, int expiresIn, com.nimbusds.oauth2.sdk.id.Subject resolvedSubject, com.nimbusds.oauth2.sdk.ciba.CIBARequest cibaRequest, HintContext hintCtx, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata, SubjectSessionContext sessionContext, InvocationContext invocationCtx) throws com.nimbusds.oauth2.sdk.GeneralException
      Handles a CIBA request that passed initial validation by the Connect2id server.
      Parameters:
      callbackToken - The callback token. Required to submit the CIBA authorisation to the Connect2id server after successful end-user authentication and consent.
      expiresIn - The lifetime of the auth_req_id and the callback token, in seconds.
      resolvedSubject - The end-user identifier resolved from the received login_hint_token, id_token_hint or login_hint.
      cibaRequest - The CIBA request.
      hintCtx - Additional context about the received login_hint_token, id_token_hint or login_hint.
      clientID - The client identifier.
      clientMetadata - The OAuth 2.0 / OpenID Connect client metadata.
      sessionContext - The session context for the resolved subject.
      invocationCtx - The invocation context.
      Throws:
      com.nimbusds.oauth2.sdk.GeneralException - If the request is rejected. Should include an appropriate HTTP status and error code.