Add CIBA support

[franticticktick]

Need to consider adding CIBA support.

[jgrandja]

@franticticktick I'm not familiar with OpenID Connect Client Initiated Backchannel Authentication Flow. I haven't heard of it much either so I'm not sure if it's widely used.

Can you provide more details on why and how you would use this feature? Do you know of any other well known providers that have implemented this spec?

[franticticktick]

Hi @jgrandja , you can see the implementation of this specification, for example, in keycloack. Personally, I think ciba is a very important flow, it can be used to authenticate a user through technical support, which is much more secure than the same otp code from SMS (and this is used very often). Okta suggests using CIBA as an implementation of SCA, for example, transaction verification.
In addition, there is a certain demand for this flow among spring security users.

[kpur-sbab]

spring-projects/spring-security#14725 (comment)

[jgrandja]

Thanks for the details @franticticktick.

It appears Keycloak hasn't implemented CIBA as of yet since the link you provided says the status is "Draft # 1".

I'm not convinced this capability is in widespread use as of today and it's not clear if it will be in the future.

Our goal as a framework is to provide features that will be widely used, otherwise, we're supporting code that provides value only to a limited set of users.

There are so many OIDC / OAuth2 specs out there we can't implement them all. Our team resource capability has been reduced this past year so we need to be careful what we prioritize in our releases.

As of now, there are other priorities that we need to deal with and the CIBA capability is not on our radar as of now. I'll monitor this issue and we'll see if the demand for this feature picks up.

[franticticktick]

@jgrandja I don't know why the document status is draft this, but CIBA is implemented in Keycloak and you can easily find a guide on how to set it up.

I'm not convinced this capability is in widespread use as of today and it's not clear if it will be in the future.

I see that many people use this flow, and those who do not use it invent their own protocols, for example, for user interaction with technical support. And this almost always leads to unpleasant consequences, since these protocols are rarely safe. Do I consider CIBA an important flow? Yes, I think so.