Skip to main content

BackChannelAuthenticationGrantHandler Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.Token.Grants

BackChannelAuthenticationGrantHandler Class

Handles the authorization process for backchannel authentication requests under the Client-Initiated Backchannel Authentication (CIBA) grant type. This handler validates the token request based on the backchannel authentication flow, ensuring that the client is authorized and that the user has been authenticated before tokens are issued. Supports both short-polling (immediate response) and long-polling (holds connection until auth completes).

public class BackChannelAuthenticationGrantHandler : Abblix.Oidc.Server.Endpoints.Token.Grants.IAuthorizationGrantHandler, Abblix.Oidc.Server.Common.Interfaces.IGrantTypeInformer

Inheritance System.Object → BackChannelAuthenticationGrantHandler

Implements IAuthorizationGrantHandler, IGrantTypeInformer

Constructors

BackChannelAuthenticationGrantHandler(IBackChannelRequestStorage, TimeProvider, IOptions<OidcOptions>, IServiceProvider, IBackChannelLongPollingService, IHttpContextAccessor) Constructor

Handles the authorization process for backchannel authentication requests under the Client-Initiated Backchannel Authentication (CIBA) grant type. This handler validates the token request based on the backchannel authentication flow, ensuring that the client is authorized and that the user has been authenticated before tokens are issued. Supports both short-polling (immediate response) and long-polling (holds connection until auth completes).

public BackChannelAuthenticationGrantHandler(Abblix.Oidc.Server.Features.BackChannelAuthentication.Interfaces.IBackChannelRequestStorage storage, System.TimeProvider timeProvider, Microsoft.Extensions.Options.IOptions<Abblix.Oidc.Server.Common.Configuration.OidcOptions> options, System.IServiceProvider serviceProvider, Abblix.Oidc.Server.Features.BackChannelAuthentication.Interfaces.IBackChannelLongPollingService? statusNotifier=null, Microsoft.AspNetCore.Http.IHttpContextAccessor? httpContextAccessor=null);

Parameters

storage IBackChannelRequestStorage

Service for storing and retrieving backchannel authentication requests.

timeProvider System.TimeProvider

Provides access to the current time.

options Microsoft.Extensions.Options.IOptions<OidcOptions>

Configuration options for backchannel authentication including long-polling settings.

serviceProvider System.IServiceProvider

Service provider for resolving mode-specific grant processors.

statusNotifier IBackChannelLongPollingService

Notifier for long-polling status changes (null if long-polling disabled).

httpContextAccessor Microsoft.AspNetCore.Http.IHttpContextAccessor

Accessor for HTTP context to retrieve cancellation token.

Properties

BackChannelAuthenticationGrantHandler.GrantTypesSupported Property

Specifies the grant types supported by this handler, specifically the "CIBA" (Client-Initiated Backchannel Authentication) grant type. This property ensures that the handler is only invoked for the specific grant type it supports.

public System.Collections.Generic.IEnumerable<string> GrantTypesSupported { get; }

Implements GrantTypesSupported

Property Value

System.Collections.Generic.IEnumerable<System.String>

Methods

BackChannelAuthenticationGrantHandler.AuthorizeAsync(TokenRequest, ClientInfo) Method

Processes the authorization request by verifying the authentication request ID and checking the status of the associated backchannel authentication request. Supports both short-polling (immediate response) and optional long-polling (holds connection until authentication completes or timeout).

public System.Threading.Tasks.Task<Abblix.Utils.Result<Abblix.Oidc.Server.Endpoints.Token.Interfaces.AuthorizedGrant,Abblix.Oidc.Server.Common.OidcError>> AuthorizeAsync(Abblix.Oidc.Server.Model.TokenRequest request, Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo);

Parameters

request TokenRequest

The token request containing the authentication request ID and other parameters.

clientInfo ClientInfo

Information about the client making the request, used to validate client identity and determine token delivery mode (poll/ping/push).

Implements AuthorizeAsync(TokenRequest, ClientInfo)

Returns

System.Threading.Tasks.Task<Abblix.Utils.Result<AuthorizedGrant,OidcError>>
Either an authorized grant if authentication succeeded, or an error indicating why the request failed (authorization_pending, access_denied, expired_token, slow_down, or invalid_grant).

Remarks

Behavior by Authentication Status:
  • Authenticated:
  • Pending (short-polling):
  • Pending (long-polling):
  • Denied:
  • Expired/Not Found:
  • Rate Limited:

Long-polling reduces latency (0-1s vs 0-5s) and server load (1-4 req/min vs 12 req/min) by holding the connection open until authentication completes instead of requiring repeated polling.