1

I am trying to set up a CIBA endpoint on Keycloak 15.0.2. I have set up a client with the CIBA endpoint enabled, but when I hit it with a request that looks something like this:

curl -s -X POST \
-d "client_id=ciba_client_test" \
-d "client_secret=xxx" \
-d "login_hint=test_user_name" \
-d "scope=openid" \
"https://keycloak.address.com/auth/realms/poc_new/protocol/openid-connect/ext/ciba/auth"

I get an error back that looks like this:

{"error":"server_error","error_description":"Failed to send authentication request"}

I have checked settings on the client and realm and cannot see anything that would be preventing the authentication request.

timalive
  • 21
  • 6

2 Answers2

2

CIBA relies on the concept of an "Authentication Device", e.g. a smartphone on which you have an app provided by some 3rd party.

When you send your request, my guess is that Keycloak is unable to contact that 3rd party to delegate the authentication process. Did you define one as specified in the documentation? https://www.keycloak.org/docs/latest/server_admin/#provider-setting

Edit 24/11/2021: My local test setup has Keycloak 15.0.2 running in standalone mode. The 'standalone.xml' configuration file defines a 'ciba-http-auth-channel' provider, which points to a SpringBoot app emulating an Authentication Device. I did encounter TLS issues (SSLSocket duplex close failed, which did not make any sense) when trying to run everything in containers - moving to a standard (i.e. no containers) approach solved those issues.

Side note: I found one limitation with the way users/login_hints are handled: users must be defined in your realm, even if they're actually managed by external parties. For a production setup, some kind of user federation will be required.

veebee
  • 391
  • 2
  • 12
0

CIBA request messages must be form URL encoded but other than that your request looks ok. Try it with this header. Also the Curity CIBA walkthrough may provide some useful further info.

-H: 'content-type: application/x-www-form-url-encoded'
Gary Archer
  • 22,534
  • 2
  • 12
  • 24