Bcauthorize Endpoint

Clients can create a request for Client Initiated Backchannel Authentication (CIBA) feedback on operations such as a push-based logon on a mobile device.

Copy

The endpoint is exposed at the following URL (and can be obtained from the server discovery endpoint):

https://[base-server-url]/{tenant}/authn/bcauthorize [POST]
Note: This endpoint only supports bearer token authentication. It does not support basic authentication.

For further information about CIBA deployment, see the push-based solution's Enable Validation Feedback using CIBA Notifications and CIBA Demo Portal Sample.

Bcauthorize Request

Copy 
POST https://[base-server-url]/{tenant}/authn/bcauthorize HTTP/1.1
Connection: close
Authorization: Bearer RTp7HwAAAXk3s41v8uBOEA92yE98qTLB1+SKlONh
Content-Type: application/x-www-form-urlencoded
 
{
     "scope": "openid hid-tx-sign",
     "acr_values": "mod-mf",
     "login_hint_token": "eyJhbGciOiJub25lIn0.eyJhdXRocG9sIjoiQVRfVERTIiwidGRzIjoie2Ftb3VudCwgNDAwLjAwfSx7c29ydGNvZGUsMjAtMzAtOTB9LCB7YWNjb3VudF90bywxMjM0LTU2Nzh9IiwiY2hhbm5lbCI6IkNIX1REUyIsInVzZXJjb2RlIjoiYmFua3VzZXIwMSIsImRldmljZWlkIjoiMTEwNTgiLCJjcmVhdGVTZXNzaW9uIjoiMSJ9."
 }

Where:

  • scope – is the scope that defines the list of claims (user information) that will be part of the id_token,

    The hid-tx-sign scope adds support for custom claims, such as "JWS", "PUK", "approvalstatus" , "deviceid" , "domain".

  • login_hint_token – is a JWT token (PlainJWT with no signature or encryption) with the information required to initiate a push-based logon or operation validation approval.

    Copy

    The JWT JSON payload of login_hint_token is:

    {
        "authpol":"AT_PASA",
        "tds":"Please validate Logon",
        "channel":"CH_DIRECT",
        "usercode":"MyTestUser",
        "deviceid":"11924",
        "createSession":"0"
        "RMSInfo":"eyJhbGciOiJub25lIn0.eyJUTV9TRVNTSU9OX1NJRCI6InJZRmNtNjVwa2hvYXdHUkZnTjFVUk5YWUhsM1FBcGxIIiwiVE1fQ0xJRU5UX0lQIjoiMTAuMTYuNzEuNzkiLCJUTV9TRVNTSU9OX1RSQU5TRkVSIjoiUFc4RDBUUDVrMmFHZEl2TUlYcU5LM2ZCZ1NnNWVCVjdYSEFIOHNneCIsIlRNX0RFVklDRV9UQUciOiIwT2VuTnFBZGxRM2Fwb1ZmSGhkcmJuZ2F2WDRVajNQVCJ9."
    }

    Where:

    • usercode – is the ActivID Appliance identifier of the targeted user.

    • deviceid – is the ActivID Appliance identifier of the targeted device.

      Optional, if not set then the notification is sent to the last used device (the active device that has the most recently used credential for the authentication policy on request).

    • authpol – is the authentication policy to use.

    • channel – is the channel to create the logon or operation request on the ActivID Appliance (optional, the default is the channel configured for the OpenID client).

    • tds – is the logon or operation validation message to be displayed on the device for approval.

    • createSession – is the optional parameter to define if ActivID Appliance will create a sessionid (aka ALSI) if the operation is validated on the device. If set to "1", then a sessionid will be created.

      The default value is "0" (no session is created).

    • RMSInfo (optional) – is a PlainJWT object with information in the context of Risk Management System integration (for further information, see refer to the ActivID Risk Management Service Integration Guide available from the ActivID Customer Portal). The following is an example of the content:

      Copy
      {
        "TM_CLIENT_IP": "10.16.71.79",
        "TM_SESSION_SID": "rYFcm65pkhoawGRFgN1URNXYHl3QAplH",
        "TM_DEVICE_TAG": "0OenNqAdlQ3apoVfHhdrbngavX4Uj3PT",
        "TM_SESSION_TRANSFER": "PW8D0TP5k2aGdIvMIXqNK3fBgSg5eBV7XHAH8sgx"
      }

    Copy

    Example of login_hint_token without the optional RMSInfo:

    eyJhbGciOiJub25lIn0.eyJhdXRocG9sIjoiQVRfUEFTQSIsInRkcyI6IlBsZWFzZSB2YWxpZGF0ZSBMb2dvbiIsImNoYW5uZWwiOiJDSF9ESVJFQ1QiLCJ1c2VyY29kZSI6Ik15VGVzdFVzZXIiLCJkZXZpY2VpZCI6IjExOTI0IiwiY3JlYXRlU2Vzc2lvbiI6IjAifQ.
    Copy 
    {
        "authpol":"AT_PASA",
        "tds":"Please validate Logon",
        "channel":"CH_DIRECT",
        "usercode":"MyTestUser",
        "deviceid":"11924",
        "createSession":"0"
    }

Bcauthorize Response

Copy 
HTTP/1.1 200 OK
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-FRAME-OPTIONS: DENY
Content-Type: application/json; charset=UTF-8
Content-Length: 84
 
{
    "auth_req_id": "a95c61e0-f604-4905-98b1-26b7b87fe073",
    "interval": 5,
    "expires_in": 120
}

Where:

  • auth_req_id – is a unique ID (that is, correlationID) generated by ActivID Appliance that identifies the push-based operation in progress

  • expires_in – the validity (in seconds) of the logon or operation validation request on ActivID Appliance

Error Responses

Code Label Possible Errors

400

BAD REQUEST
  • invalid_request
  • unknown_user_id
  • missing_user_code
  • unauthorized_client

401

UNAUTHORIZED

invalid_token

500

INTERNAL SERVER ERROR

transaction_failed

For detailed responses, see Retrieve the Authentication Result and Access Token.

See also:

Configure RADIUS Push-Based Authentication (Optional)