AttestoPhoenix. AuthorizationServer. BackchannelAuthentication
(AttestoPhoenix v1.2.0)
Copy Markdown
View Source
CIBA backchannel authentication request processing (OpenID Connect CIBA Core 1.0 §7), as conn-free core.
Turns an authenticated confidential client and a parsed backchannel
authentication request into the §7.3 acknowledgement (auth_req_id,
expires_in, interval), by:
- building the core
Attesto.CIBA.Request.client()map from the client's registered CIBA metadata (AttestoPhoenix.Config.client_ciba_registration/2+ the shared:client_id/:client_jwkscallbacks); - stripping the client-authentication parameters so a signed authentication request (§7.1.1) stands alone;
- validating the request via
Attesto.CIBA.Request.validate/3(scope, the exactly-one-hint rule,binding_message, and - for FAPI-CIBA - the mandatory signedrequestJWT against the client's JWKS); - guarding a signed request's
jtiagainst replay when the host wired a:replay_checkseam (FAPI-CIBA §5.2.2 host obligation); - resolving the request's hint to an end-user through the host
:authenticate_ciba_usercallback (CIBA §7.1: the user is identified BEFORE the acknowledgement is returned) - which also verifies anyuser_code; - minting the
auth_req_idviaAttesto.CIBA.issue/4; and - kicking off the out-of-band authentication through the host
:notify_ciba_usercallback, fire-and-forget so the acknowledgement never waits on it.
The thin AttestoPhoenix.Controller.BackchannelAuthenticationController parses
the request off the Plug.Conn, authenticates the client (confidential only,
FAPI-CIBA §5.2.2), lifts the conn facts into a %Request{} of plain data, and
calls request/2. Every grant decision lives here or in the core.
Summary
Types
The CIBA §7.3 authentication request acknowledgement (atom keys; :interval dropped when nil).
Functions
Process a backchannel authentication request, returning the §7.3
acknowledgement or an AttestoPhoenix.OAuthError (whose status is the CIBA
§13 status from Attesto.CIBA.error_status/1).
Types
Functions
@spec request( AttestoPhoenix.Config.t(), AttestoPhoenix.AuthorizationServer.BackchannelAuthentication.Request.t() ) :: {:ok, response()} | {:error, AttestoPhoenix.OAuthError.t()}
Process a backchannel authentication request, returning the §7.3
acknowledgement or an AttestoPhoenix.OAuthError (whose status is the CIBA
§13 status from Attesto.CIBA.error_status/1).