Skip to Content
Admin ConsoleAdvanced OAuth2

Advanced OAuth2 Settings

Auris supports four advanced OAuth2 capabilities beyond the standard Authorization Code + PKCE flow: Device Authorization Flow, Client-Initiated Backchannel Authentication (CIBA), DPoP (Demonstration of Proof-of-Possession), and Token Exchange. Each feature is configured per-application and can be enabled independently.

These features address enterprise scenarios such as authenticating on input-constrained devices (smart TVs, CLI tools), server-initiated authentication (call centers, kiosk approvals), cryptographic sender-constraining of tokens, and controlled identity delegation.

Access via ConsoleApplications → select an application → Settings tab.


Device Authorization Flow (RFC 8628)

The Device Authorization Flow allows users to authenticate on devices that lack a browser or have limited input capabilities. The device displays a short code that the user enters on a separate device (phone or computer) to authorize the session.

Enabling Device Flow

Open the application settings

Go to ConsoleApplications and click on the application you want to configure. Navigate to the Settings tab.

Enable Device Flow

Toggle Enable Device Flow to on.

Configure settings

SettingDefaultDescription
Polling Interval5 secondsHow often the device should poll the token endpoint for authorization status. Setting this too low increases server load.
Code Lifetime600 seconds (10 min)How long the user code remains valid. After expiry, the device must request a new code.
User Code Length8 charactersLength of the code shown to the user. Longer codes are more secure but harder to type.

Save

Click Save to apply the configuration.

Verification URI

After enabling Device Flow, Auris provides a Verification URI for your application. This is the URL you display to users alongside the device code. The format is:

https://auth.yourdomain.com/hosted/device

Your device application should display both the verification URI and the user code, for example:

To sign in, visit: https://auth.yourdomain.com/hosted/device Enter code: ABCD-EFGH

The verification URI is the same for all applications in your tenant. The user code uniquely identifies the device authorization session, so no application-specific URL is needed.

How It Works

  1. The device requests a device code from POST /api/oauth/device/authorize
  2. The user visits the verification URI and enters the code
  3. The user authenticates normally (password, MFA, SSO — whatever your tenant requires)
  4. The device polls POST /api/auth/token with grant_type=urn:ietf:params:oauth:grant-type:device_code until the user completes authentication
  5. Once authorized, the device receives access and refresh tokens
POST/api/oauth/device/authorize
POST/api/auth/token

Client-Initiated Backchannel Authentication (CIBA)

CIBA enables server-to-server authentication where the relying party initiates authentication without the user being present at the application. The user receives a notification (SMS or email) and approves the login on their own device.

Typical use cases include call-center authentication (“we’ve sent a notification to your phone — please approve it to verify your identity”) and background re-authentication for long-running sessions.

Enabling CIBA

Open the application settings

Go to ConsoleApplications and select the application. Navigate to the Settings tab.

Enable CIBA

Toggle Enable CIBA to on.

Configure notification settings

SettingDefaultDescription
Notification ModePollHow the relying party receives the authentication result. See Notification Modes below.
Notification ChannelEmailHow the user is notified of the pending authentication: SMS or Email.
Request Lifetime300 seconds (5 min)How long the authentication request is valid before expiring.
Token Delivery ModePollHow the client receives the final tokens. Options: poll, ping, push.

Configure callback URL (ping/push modes only)

If using ping or push notification mode, enter the Callback URL where Auris should send the authentication result.

Save

Click Save to apply the configuration.

Notification Modes

ModeBehavior
PollThe relying party polls the token endpoint at intervals until the user responds. Simplest to implement.
PingAuris sends a notification to the callback URL when the user responds, then the relying party calls the token endpoint to retrieve tokens.
PushAuris sends the tokens directly to the callback URL when the user approves. The relying party does not need to poll.

Push mode delivers tokens directly to your callback URL. Ensure this endpoint is secured with TLS and validates the incoming request signature. If the callback URL is compromised, an attacker could intercept tokens.

POST/api/oauth/ciba/authorize

DPoP (Demonstration of Proof-of-Possession) — RFC 9449

DPoP binds access tokens to a specific client by requiring the client to prove possession of a private key on every request. This prevents token theft and replay attacks — even if an access token is intercepted, it cannot be used without the corresponding private key.

Enabling DPoP

Open the application settings

Navigate to ConsoleApplications → select the application → Settings tab.

Enable DPoP

Toggle Enable DPoP to on.

Configure DPoP settings

SettingDefaultDescription
Enable DPoPOffAllows clients to use DPoP proofs when requesting tokens.
Require DPoPOffWhen enabled, Auris rejects token requests that do not include a valid DPoP proof. Only enable this after confirming all clients support DPoP.
Require NoncesOffAdds server-issued nonces to the DPoP flow for replay protection. Increases security but adds an extra round-trip.

Save

Click Save to apply.

How DPoP Works

  1. The client generates an asymmetric key pair (typically ECDSA P-256)
  2. On each token request, the client creates a DPoP proof JWT signed with its private key, containing the HTTP method, URL, and a unique identifier
  3. Auris verifies the proof and binds the issued token to the client’s public key (JWK thumbprint)
  4. On subsequent API calls, the client includes both the access token and a fresh DPoP proof header
  5. Resource servers verify that the token’s jkt (JWK Thumbprint) claim matches the DPoP proof

DPoP configuration also appears on the application detail page under the Security section, providing quick access to the same settings from multiple navigation paths.


Token Exchange (RFC 8693)

Token Exchange allows one service to exchange an access token for a new token with different scopes, subject, or audience. This supports two patterns: impersonation (acting as another user) and delegation (acting on behalf of another user while retaining the original identity).

Enabling Token Exchange

Open the application settings

Navigate to ConsoleApplications → select the application → Settings tab.

Enable Token Exchange

Toggle Enable Token Exchange to on.

Select allowed exchange types

TypePermission RequiredDescription
Impersonationimpersonate:usersThe resulting token has the target user as its subject. The original identity is not preserved. Used for admin support scenarios.
Delegationdelegate:tokensThe resulting token includes an act (actor) claim preserving the original caller’s identity. The subject is the target user. Used for service-to-service delegation chains.

Save

Click Save to apply.

Impersonation is a powerful capability. Only grant the impersonate:users permission to highly trusted applications and roles. All token exchanges are logged in the audit log with the original and target identities.

POST/api/auth/token

Monitoring

The Console provides dedicated monitoring pages for each advanced OAuth2 feature. Access them from the Advanced OAuth section in the sidebar.

Device Codes

Go to ConsoleAdvanced OAuthDevice Codes to view all active and expired device authorization sessions.

ColumnDescription
User CodeThe code displayed to the user
ClientThe application that requested the device code
StatusPending, Authorized, Expired, or Denied
Created AtWhen the device code was issued
Expires AtWhen the device code expires
UserThe user who authorized the session (if authorized)

CIBA Requests

Go to ConsoleAdvanced OAuthCIBA Requests to view backchannel authentication requests.

ColumnDescription
Request IDUnique identifier for the CIBA request
UserThe user being authenticated
ClientThe application that initiated the request
StatusPending, Completed, Expired, or Denied
Notification ModePoll, Ping, or Push
Created AtWhen the request was initiated

Token Exchanges

Go to ConsoleAdvanced OAuthToken Exchanges to view the audit log of all token exchange operations.

ColumnDescription
TimestampWhen the exchange occurred
TypeImpersonation or Delegation
From IdentityThe original authenticated identity
To IdentityThe target user identity
ClientThe application that performed the exchange
ScopesThe scopes granted on the exchanged token

Risk Scoring

Advanced OAuth2 features integrate with the Auris risk scoring engine. When risk scoring is enabled, each authentication through Device Flow, CIBA, or Token Exchange is evaluated for risk just like a standard login. High-risk authentications may trigger step-up MFA requirements.

For detailed configuration of the risk engine, factor weights, thresholds, and custom rules, see the dedicated Risk Scoring & Adaptive MFA page.


Permissions

The following permissions control access to advanced OAuth2 features:

PermissionDescription
view:device_codesView active device authorization sessions
manage:device_codesRevoke device codes
view:token_exchangesView token exchange audit log
impersonate:usersPerform impersonation token exchanges
delegate:tokensPerform delegation token exchanges
manage:dpop_configConfigure DPoP settings on applications
view:ciba_requestsView backchannel authentication requests
manage:ciba_configConfigure CIBA settings on applications
view:risk_assessmentsView risk assessment data
manage:risk_rulesCreate and modify risk scoring rules
manage:advanced_oauthFull access to all advanced OAuth2 settings