CIBA Ping Callback
When using the CIBA ping method, BindID sends HTTP POST requests to the endpoint specified in the BindID Admin Portal application settings (Notification URL
) when users open authentication links and finish authentication flows. After an authentication flow is completed, call the /token endpoint to retrieve the user tokens or the authentication failure error code.
Endpoint Requirements
Your endpoint must support HTTPS. When a CIBA ping notification is received, you should verify that its bearer token is identical to the value of the client_notification_token
sent in the CIBA authentication request and then return an HTTP 200
status response. If a success response is not received within 4 seconds, BindID attempts to resend the notification up to a maximum of 5 times.
Notification Headers
The notifications sent to your endpoint have these request headers:
Header Name | Description |
---|---|
content-type | application/json |
Authorization | A bearer token, where the value of the token is determined by the client_notification_token field in the CIBA authentication API request. |
Notification Body
The notification's body contains a data
JSON object with the following structure:
Header Name | Description |
---|---|
topic | Indicates the notification type: link_status , a user opened an authentication link; auth_completed , a user completed an authentication flow. |
value | For link_status notifications, the value is opened . For auth_completed notifications, the value is success for successful authentications and failure for failed authentications. |
auth_request_id | Unique identifier to identify the authentication or transaction signing request, as per CIBA standard (returned from calling the CIBA authentication API). |
client_id | BindID client identifier of the client that requested the CIBA authentication. |
Example Notification
Here is an example authentication complete notification:
Authentication Failures
When the authentication flow fails, an auth_completed
notification is sent with a failure
value:
If this occurs, call the /token
endpoint to retrieve the failure reason.