Bcauthorize Endpoint
Clients can create a request for Client Initiated Backchannel Authentication (CIBA) feedback on operations such as a push-based logon on a mobile device.
The endpoint is exposed at the following URL (and can be obtained from the server discovery endpoint):
https://[base-server-url]/{tenant}/authn/bcauthorize [POST]
For further information about CIBA deployment, see the push-based solution's Enable Validation Feedback using CIBA Notifications and CIBA Demo Portal Sample.
For detailed responses, see Retrieve the Authentication Result and Access Token.
Bcauthorize Request
POST https://[base-server-url]/{tenant}/authn/bcauthorize HTTP/1.1
Connection: close
Authorization: Bearer RTp7HwAAAXk3s41v8uBOEA92yE98qTLB1+SKlONh
Content-Type: application/x-www-form-urlencoded
{
"scope": "openid hid-tx-sign",
"acr_values": "mod-mf",
"login_hint_token": "eyJhbGciOiJub25lIn0.eyJhdXRocG9sIjoiQVRfVERTIiwidGRzIjoie2Ftb3VudCwgNDAwLjAwfSx7c29ydGNvZGUsMjAtMzAtOTB9LCB7YWNjb3VudF90bywxMjM0LTU2Nzh9IiwiY2hhbm5lbCI6IkNIX1REUyIsInVzZXJjb2RlIjoiYmFua3VzZXIwMSIsImRldmljZWlkIjoiMTEwNTgiLCJjcmVhdGVTZXNzaW9uIjoiMSJ9."
}
Where:
-
scope – is the scope that defines the list of claims (user information) that will be part of the id_token
The hid-tx-sign scope adds support for custom claims, such as "JWS", "PUK", "approvalstatus" , "deviceid" , "domain".
-
login_hint_token – is a JWT token (PlainJWT with no signature or encryption) with the information required to initiate a push-based logon or operation validation approval
-
If set to "1", then a sessionid will be created
-
The default value is "0" (no session is created)
The JWT JSON payload of login_hint_token is:
{
"authpol":"AT_PASA",
"tds":"Please validate Logon",
"channel":"CH_DIRECT",
"usercode":"MyTestUser",
"deviceid":"11924",
"createSession":"0",
"RMSInfo":"eyJhbGciOiJub25lIn0.eyJUTV9TRVNTSU9OX1NJRCI6InJZRmNtNjVwa2hvYXdHUkZnTjFVUk5YWUhsM1FBcGxIIiwiVE1fQ0xJRU5UX0lQIjoiMTAuMTYuNzEuNzkiLCJUTV9TRVNTSU9OX1RSQU5TRkVSIjoiUFc4RDBUUDVrMmFHZEl2TUlYcU5LM2ZCZ1NnNWVCVjdYSEFIOHNneCIsIlRNX0RFVklDRV9UQUciOiIwT2VuTnFBZGxRM2Fwb1ZmSGhkcmJuZ2F2WDRVajNQVCJ9."
}
Where:
Parameter | Description |
---|---|
usercode |
The ActivID AS identifier of the targeted user This is not required for userID-less QR code operations. |
deviceid |
The ActivID AS identifier of the targeted device If not set, the notification is sent to the last used device (the active device that has the most recently used credential for the authentication policy in the request). This is not required for userID-less QR code operations. |
authpol |
The authentication policy to use |
channel |
The channel to create the logon or operation request on the ActivID AS (optional, the default is the channel configured for the OpenID client) |
tds |
(Optional) The logon or operation validation message to be displayed on the device for approval The message has a maximum size limit of |
createSession |
(Optional) Defines if ActivID AS will create a sessionid (aka ALSI) if the operation is validated on the device |
mode |
Required to indicate that the request is for a userID-less QR code operation and you should set the value to userid_less. This is not required for userID-based requests. |
device_type |
Required for a userID-less QR code operation to identify the keyID and you should specify the push-based device type. This is not required for userID-based requests. |
cal |
(Optional) Specifies the default approval status sent to the device for a userID-less QR code operation. This should be a subset (string) of the values defined for the push-based credential type (where the default value is accept|deny|report). If you set the parameter to accept, the request will be automatically signed and the user will not be prompted to approve or decline. |
RMSInfo |
(Optional) A PlainJWT object with information in the context of Risk Management System integration (for further information, see Copy
|
Example of login_hint_token for a userID-less QR code operation:
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ0ZHMiOiJ0cmFuc2FjdGlvbkRhdGEiLCJhdXRocG9sIjoiQVRfUEFTQSIsImNoYW5uZWwiOiJDSF9FWFRSQVBQIiwiZGV2aWNlX3R5cGUiOiJEVF9URFNWNCIsImNhbCI6ImFjY2VwdCIsIm1vZGUiOiJ1c2VyaWRfbGVzcyJ9.
CopyThe JWT JSON payload of login_hint_token is:
{
"tds": "transactionData",
"authpol": "AT_PASA",
"channel": "CH_EXTRAPP",
"device_type": "DT_TDSV4",
"cal": "accept",
"mode": "userid_less"
}
Example of login_hint_token without the optional RMSInfo:
eyJhbGciOiJub25lIn0.eyJhdXRocG9sIjoiQVRfUEFTQSIsInRkcyI6IlBsZWFzZSB2YWxpZGF0ZSBMb2dvbiIsImNoYW5uZWwiOiJDSF9ESVJFQ1QiLCJ1c2VyY29kZSI6Ik15VGVzdFVzZXIiLCJkZXZpY2VpZCI6IjExOTI0IiwiY3JlYXRlU2Vzc2lvbiI6IjAifQ.
CopyThe JWT JSON payload of login_hint_token is:
{
"authpol":"AT_PASA",
"tds":"Please validate Logon",
"channel":"CH_DIRECT",
"usercode":"MyTestUser",
"deviceid":"11924",
"createSession":"0"
}
Bcauthorize Response
HTTP/1.1 200 OK
Cache-Control: no-store
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-FRAME-OPTIONS: DENY
Content-Type: application/json; charset=UTF-8
Content-Length: 84
{
"auth_req_id": "a95c61e0-f604-4905-98b1-26b7b87fe073",
"interval": 5,
"expires_in": 120
}
Where:
-
auth_req_id – is a unique ID (that is, correlationID) generated by ActivID AS that identifies the push-based operation in progress
-
expires_in – the validity (in seconds) of the logon or operation validation request on ActivID AS
Error Responses
Code | Label | Possible Errors |
---|---|---|
400 |
BAD REQUEST |
|
401 |
UNAUTHORIZED |
invalid_token |
500 |
INTERNAL SERVER ERROR |
transaction_failed |
See also: