Initiate CIBA Authentication

POST 
/authz-srv/ciba

Client-Initiated Backchannel Authentication (CIBA)

This API initiates the CIBA flow. The client sends user identification and client credentials; the server creates an authentication request, sends a push to the user's authenticator device, and returns an auth_req_id for polling the token endpoint. Use auth_req_id with POST /token-srv/token and grant_type=urn:openid:params:grant-type:ciba to poll for tokens.

See CIBA documentation for the full flow.

Request

Responses

200

OK - CIBA authentication request created successfully.

400

Bad Request - Invalid request (e.g. validation failure, user not found for login_hint, bad scope).

401

Unauthorized - Client authentication failed (e.g. wrong or missing client credentials).

403

Forbidden - CIBA is not enabled for the instance, or no verification method is configured for the user.