id_token_hint for device registration CIBA grant

By: VanHoan Hoang user 13 May 2022 at 10:09 a.m. CDT

5 Responses
VanHoan Hoang gravatar
Dear community, I'm trying to setup the CIBA flow. I have configured all the necessary parameters for Client. In order for user authentication to happen, I have setup firebase FCM application. I have also created a webapp to register with firebase FCM application. The webapp is succesfully connected to Firebase and got a registration token. The webapp atcs as an authentication device of the user. The last step for me is to bind the authentication device to the user. According to the documentation, I can do it via the endpoint: /restv1/bc-deviceRegistration This endpoint ask for two parameters in the POST request: device_registration_token and id_token_hint. I have got device_registration_token during the installation of authentication device but still dont understand how I can get the id_token_hint. Given that user has never been authenticated via CIBA grant, how I can get this parameter for the user. Can you clarify it for me please ? Thank
Gluu 4.3 Ubuntu 20.04
closed

Answers

By Michael Schwartz Account Admin 13 May 2022 at 10:49 a.m. CDT

Copy
Michael Schwartz gravatar
It's a very interesting question. Would you be interested to write a Medium article about this when you're done? Not a lot of people are testing CIBA. I'd love to see a howto article on this topic :-) I can ask an engineer to help you. I see your point... if you haven't authenticated (and authorized), you wouldn't have an `id_token` yet. Also, how is your client configured? Can you print the client summary and paste it here (or a screenshot). Perhaps you need hybrid flow, i.e. `response_type` = `code id_token` ?

By Milton Ch. staff 13 May 2022 at 1:17 p.m. CDT

Copy
Milton Ch. gravatar
Hi VanHoan, thanks for reaching us about this concern, actually, Firebase integration requires that device registration token which is associated inside user attributes, each time we need to send that notification, AS takes that value and sends the notification via FCM. I understand that concern about id_token_hint, in this case we have two options: 1. Authenticate user using another authn mode and then id_token_hint would be generated. 2. Set device registration token manually inside `jansBackchannelDeviceRegistrationTkn` user custom attribute, you could use admin for this one or directly to the database. BTW, you could also use directly interception scripts to customize this experience, all required information could be directly set inside script params and user data. Let me know if you require something else where I could help, thanks.

By VanHoan Hoang user 16 May 2022 at 9:42 a.m. CDT

Copy
VanHoan Hoang gravatar
Dear @Michael.Schwartz, Thank you for the suggestion and you help; I'm new to Gluu and had quite a few problems to run it. CIBA seems to the only open source project which supports all functional modes for CIBA grant type and I like it. Yes, as soon as I finish this integration, I will write a howto blog to go into details the problems that I got during the integration. Thank you for your help.

By VanHoan Hoang user 17 May 2022 at 11:06 a.m. CDT

Copy
VanHoan Hoang gravatar
@Milton.Ch. Thank you so much for the response, I am facing a new issue releated to unsupported_reponse_type during user authentication (the last step in the follow). I opened a seperate ticket #10498 ([LINK](https://support.gluu.org/single-sign-on/10498/error-during-running-ciba-flow-with-push-mode/)). as It may help some community members who face the same problem. Can you please help me to solve it.

By Milton Ch. staff 17 May 2022 at 2:22 p.m. CDT

Copy
Milton Ch. gravatar
Hi VanHoan, sure, let me take a deep look at that issue. Meanwhile, I suppose we can close this ticket. Feel free to reopen in case it requires further review. Thanks!

Post an answer