Hi, Saulo. I wonder if we overlooked a few things when adding this new feature. @Yuriy.Zabrovarnyy , do you think we may need some additional actions to enable it in 4.2? I.e., is it enabled OOTB? @Thomas Gasmyr.Mougang , can it be web UI issue, perhaps?

Btw, I don't think Community Support does cover Docker/K8s-based deployments. Unless it's a universal kind of issue, we may not be able to provide rurther help unless you're planning to sign a support contract with Gluu, sorry.

Yes, it's correct, CIBA grant type (`urn:openid:params:grant-type:ciba`) is required to perform CIBA requests. If it's not available on UI then it's bug. @Aliaksandr.Samuseu please validate. If it's reproducible open ticket on oxTrust project and assign to @J. Milton.Chambi M.

Hi @Saulo please consider that your oxAuth json properties has all grant types supported, if CIBA grant type is not there, then you will not be able to add it in your client config.

Hi @J. Milton.Chambi M., As this screenshot shows, I have updated the JSON properties to enable CIBA: Is there anything else that I have to do?

Looks like I pushed the wrong button and closed the issue. Is there a way to reopen it?

By the way, the documentation talks about a JSON property called **cibaEnabled** (https://gluu.org/docs/gluu-server/4.2/admin-guide/ciba/#json-configuration) but I was not able to find it on oxTrust. Despite that, the Configuration/Discovery (https://{hostname}/.well-known/openid-configuration) endpoint says that CIBA is supported (see the **grant_types_supported** property values): ``` { "request_parameter_supported" : true, "token_revocation_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/revoke", "introspection_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/introspection", "claims_parameter_supported" : true, "issuer" : "https://demoexample.gluu.org", "userinfo_encryption_enc_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "id_token_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "authorization_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/authorize", "service_documentation" : "http://gluu.org/docs", "id_generation_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/id", "claims_supported" : [ "street_address", "country", "zoneinfo", "birthdate", "gender", "formatted", "user_name", "phone_mobile_number", "preferred_username", "locale", "inum", "openbanking_intent_id", "updated_at", "nickname", "org_name", "email", "website", "email_verified", "profile", "locality", "phone_number_verified", "given_name", "middle_name", "picture", "name", "phone_number", "accounts", "postal_code", "region", "family_name" ], "scope_to_claims_mapping" : [ { "profile" : [ "name", "family_name", "given_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale", "updated_at" ] }, { "openid" : [ ] }, { "https://demoexample.gluu.org/oxauth/restv1/uma/scopes/scim_access" : [ ] }, { "permission" : [ ] }, { "accounts" : [ "openbanking_intent_id", "accounts" ] }, { "super_gluu_ro_session" : [ ] }, { "https://demoexample.gluu.org/oxauth/restv1/uma/scopes/passport_access" : [ ] }, { "phone" : [ "phone_number_verified", "phone_number" ] }, { "revoke_session" : [ ] }, { "address" : [ "formatted", "postal_code", "street_address", "locality", "country", "region" ] }, { "clientinfo" : [ "name", "inum" ] }, { "mobile_phone" : [ "phone_mobile_number" ] }, { "email" : [ "email_verified", "email" ] }, { "user_name" : [ "user_name" ] }, { "oxtrust-api-write" : [ ] }, { "oxd" : [ ] }, { "uma_protection" : [ ] }, { "org_name" : [ "org_name" ] }, { "oxtrust-api-read" : [ ] }, { "offline_access" : [ ] } ], "op_policy_uri" : "http://ox.gluu.org/doku.php?id=oxauth:policy", "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt" ], "tls_client_certificate_bound_access_tokens" : true, "response_modes_supported" : [ "form_post", "query", "fragment" ], "backchannel_logout_session_supported" : true, "token_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/token", "response_types_supported" : [ "id_token token", "id_token token code", "id_token", "id_token code", "token code", "token", "code" ], "request_uri_parameter_supported" : true, "backchannel_user_code_parameter_supported" : false, "grant_types_supported" : [ "urn:openid:params:grant-type:ciba", "password", "client_credentials", "urn:ietf:params:oauth:grant-type:device_code", "urn:ietf:params:oauth:grant-type:uma-ticket", "implicit", "authorization_code", "refresh_token" ], "ui_locales_supported" : [ "en", "bg", "de", "es", "fr", "it", "ru", "tr" ], "userinfo_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/userinfo", "op_tos_uri" : "http://ox.gluu.org/doku.php?id=oxauth:tos", "auth_level_mapping" : { "-1" : [ "simple_password_auth" ] }, "require_request_uri_registration" : false, "id_token_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "frontchannel_logout_session_supported" : true, "claims_locales_supported" : [ "en" ], "clientinfo_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/clientinfo", "request_object_signing_alg_values_supported" : [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "request_object_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "session_revocation_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/revoke_session", "check_session_iframe" : "https://demoexample.gluu.org/oxauth/opiframe.htm", "scopes_supported" : [ "address", "openid", "clientinfo", "user_name", "profile", "uma_protection", "permission", "https://demoexample.gluu.org/oxauth/restv1/uma/scopes/passport_access", "revoke_session", "oxtrust-api-write", "oxtrust-api-read", "https://demoexample.gluu.org/oxauth/restv1/uma/scopes/scim_access", "phone", "mobile_phone", "offline_access", "oxd", "accounts", "super_gluu_ro_session", "org_name", "email" ], "backchannel_logout_supported" : true, "acr_values_supported" : [ "simple_password_auth" ], "request_object_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ], "device_authorization_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/device_authorization", "display_values_supported" : [ "page", "popup" ], "userinfo_signing_alg_values_supported" : [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "claim_types_supported" : [ "normal" ], "userinfo_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ], "end_session_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/end_session", "revocation_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/revoke", "backchannel_authentication_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/bc-authorize", "token_endpoint_auth_signing_alg_values_supported" : [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "frontchannel_logout_supported" : true, "jwks_uri" : "https://demoexample.gluu.org/oxauth/restv1/jwks", "subject_types_supported" : [ "public", "pairwise" ], "id_token_signing_alg_values_supported" : [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512" ], "registration_endpoint" : "https://demoexample.gluu.org/oxauth/restv1/register", "id_token_token_binding_cnf_values_supported" : [ "tbh" ] } ```

Yes, please check also `dynamicGrantTypeDefault`, in such property you should have same grant type set. Definitely, **cibaEnabled** should be activated. After that please try to access to oxTrust again and see whether you can add that grant type in your existing client.

Hi @J. Milton.Chambi M. I have set the same grant type set to the properties dynamicGrantTypeDefault and grantTypesSupported. Regarding the cibaEnabled property, I could not find it in oxTrust. Could you tell me hot to activate it on oxTrust?

It should be inside this page `/identity/configuration/updateConfiguration.htm` If it's not, please confirm me which oxTrust version you are using and also whether you can see other CIBA properties.

I can see some CIBA properties: cibaGrantLifeExtraTimeSec and cibaMaxExpirationTimeAllowedSec. I can also see a property group named cibaEndUserNotificationConfig which contains properties like deviceAuthzRequestExpiresIn, deviceAuthzTokenPollInterval etc. Unfortunatelly, I cannot find the cibaEnabled property. I am using the image: gluufederation/oxtrust:4.2.1_01

Ok, please go ahead with your current config, I think cibaEnabled was not released in such version, therefore it should be activated by default.

@J. Milton.Chambi M. I am not sure that I have understood your last message. I believe I have checked/tested everything you have suggested. Maybe there is really a bug in oxTrust, i.e., it is not showing the grant type urn:openid:params:grant-type:ciba to the user. What do you think?

Yes, I'm creating a new internal issue in oxTrust in order to fix it, meanwhile you can use dynamic client registration endpoint which is basically similar than this and in such case it uses oxAuth Json config that you already configured. https://gluu.org/docs/gluu-server/4.2/admin-guide/openid-connect/#dynamic-client-registration