Feat: Add Client-Initiated Backchannel Authentication (CIBA) support#254
Merged
Conversation
kailash-b
approved these changes
Jul 9, 2026
kailash-b
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for Client-Initiated Backchannel Authentication (CIBA),
CIBA is implemented as a stateless, application-owned polling flow, consistent with the existing SDK architecture. The implementation is built entirely on the CIBA primitives already available in
com.auth0:auth0:3.10.0Flow
CIBA consists of two steps:
Initiate
auth_req_idintervalexpires_inPoll
The library intentionally remains stateless. The application owns the polling loop and is responsible for honoring the returned
intervalandexpires_in.What's added
AuthenticationControllerNew public APIs mirroring the existing
renewAuthoverload pattern:backChannelAuthorize(scope, bindingMessage, loginHint[, domain])BackChannelAuthorizeRequest.withAudience(...).withRequestedExpiry(...)backChannelPoll(authReqId[, domain])BackChannelTokenRequestBoth APIs provide:
New request types
BackChannelAuthorizeRequestFluent wrapper for
POST /bc-authorize.Returns the raw
BackChannelAuthorizeResponsecontaining:authReqIdintervalexpiresInThis allows the application to drive the polling lifecycle.
BackChannelTokenRequestFluent polling request that delegates directly to
RequestProcessor.New exception
BackChannelAuthorizationExceptionExtends
IdentityVerificationException.Provides helper methods for distinguishing retryable vs. terminal OAuth errors.
Retryable:
isAuthorizationPending()isSlowDown()Terminal:
isExpiredToken()isAccessDenied()RequestProcessorAdded
executeBackChannelPoll(...), which:urn:openid:params:grant-type:cibaAPIException.getError()toBackChannelAuthorizationExceptionorg_id/org_name) when configuredTokensExample
Notes
BackChannelTokenResponsecurrently does not include:refresh_tokentoken_typeTherefore the returned
Tokenscontain:refreshToken = nulltype = "Bearer"Refresh token support for CIBA would require an upstream change in
auth0-java.No
module-infochanges are required since the entirecom.auth0package is already exported.Test plan
BackChannelAuthorizeRequestTest(6 tests)Auth0ExceptionpropagationBackChannelTokenRequestTest(3 tests)RequestProcessorAuth0ExceptionpropagationBackChannelAuthorizationExceptionTest(5 tests)isX()helper maps to the correct OAuth errorIdentityVerificationException✅ Full test suite passes with no regressions.