Skip to main content
Version: v2.0 (latest)

Decoupled Authentication (CIBA)

Client-Initiated Backchannel Authentication (CIBA) removes the browser redirect entirely. The initiating device (the application that wants the authentication) is not the device where the user verifies. Examples include a call-center agent's console and a point-of-sale terminal.

Your application asks OIDC Web to start an authentication. The user verifies their face on their own device, and your application collects the result over a back channel.

When to use it. Anywhere a browser redirect on the requesting device is awkward or impossible. Typical cases are call-center identity checks ("while I have you on the phone, please verify"), point of sale, app-to-app, and transaction confirmation. OIDC Web supports both poll and ping delivery modes. The login_hint identifies whose profile to verify against, exactly as in Authentication Modes.

Advantages. No redirect, no shared browser session; the verification happens on the user's own device while your back end drives the flow.

For the implementation, see Decoupled Authentication (CIBA) in the User Guide.