BackChannelAuthenticationGrantHandler Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints.Token.Grants
BackChannelAuthenticationGrantHandler Class
Handles the authorization process for backchannel authentication requests under the Client-Initiated Backchannel Authentication (CIBA) grant type. This handler validates the token request based on the backchannel authentication flow, ensuring that the client is authorized and that the user has been authenticated before tokens are issued. Supports both short-polling (immediate response) and long-polling (holds connection until auth completes).
public class BackChannelAuthenticationGrantHandler : Abblix.Oidc.Server.Endpoints.Token.Grants.IAuthorizationGrantHandler, Abblix.Oidc.Server.Common.Interfaces.IGrantTypeInformer
Inheritance System.Object → BackChannelAuthenticationGrantHandler
Implements IAuthorizationGrantHandler, IGrantTypeInformer
Constructors
BackChannelAuthenticationGrantHandler(IBackChannelRequestStorage, TimeProvider, IOptions<OidcOptions>, IServiceProvider, IBackChannelLongPollingService, IHttpContextAccessor) Constructor
Handles the authorization process for backchannel authentication requests under the Client-Initiated Backchannel Authentication (CIBA) grant type. This handler validates the token request based on the backchannel authentication flow, ensuring that the client is authorized and that the user has been authenticated before tokens are issued. Supports both short-polling (immediate response) and long-polling (holds connection until auth completes).
public BackChannelAuthenticationGrantHandler(Abblix.Oidc.Server.Features.BackChannelAuthentication.Interfaces.IBackChannelRequestStorage storage, System.TimeProvider timeProvider, Microsoft.Extensions.Options.IOptions<Abblix.Oidc.Server.Common.Configuration.OidcOptions> options, System.IServiceProvider serviceProvider, Abblix.Oidc.Server.Features.BackChannelAuthentication.Interfaces.IBackChannelLongPollingService? statusNotifier=null, Microsoft.AspNetCore.Http.IHttpContextAccessor? httpContextAccessor=null);
Parameters
storage IBackChannelRequestStorage
Service for storing and retrieving backchannel authentication requests.
timeProvider System.TimeProvider
Provides access to the current time.
options Microsoft.Extensions.Options.IOptions<OidcOptions>
Configuration options for backchannel authentication including long-polling settings.
serviceProvider System.IServiceProvider
Service provider for resolving mode-specific grant processors.
statusNotifier IBackChannelLongPollingService
Notifier for long-polling status changes (null if long-polling disabled).
httpContextAccessor Microsoft.AspNetCore.Http.IHttpContextAccessor
Accessor for HTTP context to retrieve cancellation token.
Properties
BackChannelAuthenticationGrantHandler.GrantTypesSupported Property
Specifies the grant types supported by this handler, specifically the "CIBA" (Client-Initiated Backchannel Authentication) grant type. This property ensures that the handler is only invoked for the specific grant type it supports.
public System.Collections.Generic.IEnumerable<string> GrantTypesSupported { get; }
Implements GrantTypesSupported
Property Value
System.Collections.Generic.IEnumerable<System.String>
Methods
BackChannelAuthenticationGrantHandler.AuthorizeAsync(TokenRequest, ClientInfo) Method
Processes the authorization request by verifying the authentication request ID and checking the status of the associated backchannel authentication request. Supports both short-polling (immediate response) and optional long-polling (holds connection until authentication completes or timeout).
public System.Threading.Tasks.Task<Abblix.Utils.Result<Abblix.Oidc.Server.Endpoints.Token.Interfaces.AuthorizedGrant,Abblix.Oidc.Server.Common.OidcError>> AuthorizeAsync(Abblix.Oidc.Server.Model.TokenRequest request, Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo);
Parameters
request TokenRequest
The token request containing the authentication request ID and other parameters.
clientInfo ClientInfo
Information about the client making the request, used to validate client identity and determine token delivery mode (poll/ping/push).
Implements AuthorizeAsync(TokenRequest, ClientInfo)
Returns
System.Threading.Tasks.Task<Abblix.Utils.Result<AuthorizedGrant,OidcError>>
Either an authorized grant if authentication succeeded, or an error indicating why the request failed
(authorization_pending, access_denied, expired_token, slow_down, or invalid_grant).
Remarks
Behavior by Authentication Status:- Authenticated:
- Pending (short-polling):
- Pending (long-polling):
- Denied:
- Expired/Not Found:
- Rate Limited:
Long-polling reduces latency (0-1s vs 0-5s) and server load (1-4 req/min vs 12 req/min) by holding the connection open until authentication completes instead of requiring repeated polling.