WSO2 Open Banking introduces support for CIBA — Client Initiated Back Channel Authentication
This blog assumes that you are familiar with the WSO2 open banking solution and i suggest having a look at https://wso2.com/solutions/financial/open-banking/ if you are not.
What is CIBA ?
Lets get started with an intro to CIBA. CIBA is an abbreviation for Client Initiated Back Channel Authentication is a new authentication flow introduced by OpenID . But it is a bit different from the usual authentication flows because it includes a “Back channel” authentication mechanism. Let’s see what happens in a normal OIDC authentication flow in WSO2 Open Banking Solution. Let’s say you are trying to check your account information,
- First you create a token call and get a client credential access token
- You create account consent initiation call — This call includes information about which account information you want to recieve
- You authorize the above call by making an authorization request and logging in with your account credentials
- You get a user access token using the authorization code received from the above call
- You retrieve account information using the obtained user access token
The notable change in CIBA happens in the 3rd step(authorize) above. The authorize call is the step where you authenticate yourself and verify that you are permitted to access this account.
In normal authorize flow, you are redirected to bank backend to login by providing your username and password which is known as ‘something you know’. So you are authenticating yourself using the same device that is used for rest of the flow.
In CIBA, the above step is replaced with a new step. Instead of the authorize call, you make the CIBA call and it send a notification to your mobile. Since mobile is ‘something you own’, in CIBA the mobile is used to verify that you are permitted to use this account. The other special thing here is that this flow uses 2 devices, one for the normal activities of the flow and other for authenticating the user which makes this a ‘Decoupled authentication/authorization’.