Skip to content
STANDARD

CIBA — Primer

CIBA enables decoupled, back‑channel user authentication where the client polls (or is notified) to complete login without a browser redirect.

Visual representation of CIBA standard
← All standards

Why it matters

Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.

Where it’s enforced

  • Gateway: pre‑execution gating (plan/schema pins, params/egress)
  • Shield: inline budgets/stream caps/content checks
  • PDP: decisions with constraints/obligations/TTL
  • IdP: passports, token exchange, consent/DPoP

How it works (high level)

CIBA enables backchannel authentication. Modes: poll, ping, push. The AS returns auth_req_id and interval; the client polls /token until success or timeout.

mermaid
sequenceDiagram
  autonumber
  participant Client
  participant AS
  Client->>AS: backchannel auth (login_hint)
  AS-->>Client: {auth_req_id, interval}
  loop poll
    Client->>AS: POST /token (auth_req_id)
    AS-->>Client: authorization_pending
  end
  AS-->>Client: {access_token, id_token}

References

← SCIM
All standards
Model Context Protocol (MCP) →