Skip to content

feat: add support for backchannel authentication #2261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 4, 2025
Merged

feat: add support for backchannel authentication #2261

merged 6 commits into from
Sep 4, 2025
+655 −53

Conversation

guabu
Copy link
Contributor

@guabu guabu commented Aug 7, 2025
edited
Loading

📋 Changes

Adds support for Client-Initiated Backchannel Authentication. A new method getTokenByBackchannelAuth is exposed on the client that enables developers to initiate a backchannel authentication request and poll the token endpoint until it's complete.

The openid-client was added to handle the polling and retry logic without having to re-implement it ourselves using oauth4webapi and to start moving the implementation closer to that of auth0-auth-js.

🎯 Testing

  1. Call the getTokenByBackchannelAuth method from a server route/action
  2. Authorize or reject the authorization via a Guardian app
  3. The SDK will return the token set or error accordingly

@guabu guabu requested a review from a team as a code owner August 7, 2025 07:29
@adamjmcgrath
Copy link
Contributor

The openid-client was added to handle the polling and retry logic without having to re-implement it ourselves using oauth4webapi and to start moving the implementation closer to that of auth0-auth-js.

Would it make more sense to use auth0-auth-js for CIBA now if that's what the sdk is going to end up using?

@codecov-commenter
Copy link

codecov-commenter commented Aug 13, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 84.72222% with 22 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.34%. Comparing base (93e7b2a) to head (866ae3c).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/server/auth-client.ts 87.17% 15 Missing ⚠️
src/server/client.ts 12.50% 7 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2261      +/-   ##
==========================================
- Coverage   85.39%   85.34%   -0.05%     
==========================================
  Files          26       26              
  Lines        2471     2613     +142     
  Branches      462      481      +19     
==========================================
+ Hits         2110     2230     +120     
- Misses        355      377      +22     
  Partials        6        6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

tusharpandey13
tusharpandey13 reviewed Aug 13, 2025
View reviewed changes
tusharpandey13
tusharpandey13 reviewed Aug 13, 2025
View reviewed changes
Copy link
Contributor

@tusharpandey13 tusharpandey13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we think that exporting openid-client polling configuration can be useful here instead of hardcoding the default config?
https://github.com/panva/openid-client/blob/main/docs/interfaces/BackchannelAuthenticationGrantPollOptions.md

tusharpandey13
tusharpandey13 reviewed Aug 13, 2025
View reviewed changes
@guabu
Copy link
Contributor Author

guabu commented Sep 2, 2025

Thanks for the reviews!

Do we think that exporting openid-client polling configuration can be useful here instead of hardcoding the default config?
https://github.com/panva/openid-client/blob/main/docs/interfaces/BackchannelAuthenticationGrantPollOptions.md

We might want to consider that in the future if/when the use case arises but for the time being I would say it's better to keep the surface area of the API limited.

Would it make more sense to use auth0-auth-js for CIBA now if that's what the sdk is going to end up using?

We chatted about this and decided to rely on openid-client directly since that's what auth0-auth-js uses under the hood as well.

@tusharpandey13 tusharpandey13 merged commit 6e0c514 into auth0:main Sep 4, 2025
3 checks passed
@guabu guabu deleted the ciba branch September 4, 2025 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tusharpandey13 tusharpandey13 tusharpandey13 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@guabu @adamjmcgrath @codecov-commenter @tusharpandey13