Back-Channel Login
The Back-Channel Login endpoint enables applications to send an authentication request to a user’s phone, or the authentication device, provided they have an app installed and are enrolled for push notifications using the Guardian SDK.
Use the Back-Channel Login endpoint to authenticate users for the following use cases:
- Users are not in front of the application that requires authentication, such as when they’re telephoning a call center.
- The consumption device, or the device that helps the user consume a service, is insecure for sensitive operations (e.g., web browser for financial transactions).
- The consumption device has limited interactive capability (e.g., e-bicycles or e-scooters).
Response Body
If the request is successful, you should receive a response like the following:
{
"auth_req_id": "eyJh...",
"expires_in": 300,
"interval": 5
}
The auth_req_id value should be kept as it is used later in the flow to identify the authentication request.
The expires_in value tells you how many seconds you have until the authentication request expires.
The interval value tells you how many seconds you must wait between poll requests.
The request should be approved or rejected on the user’s authentication device using the Guardian SDK.
Remarks
- The
login_hintvalue follows theiss_subformat. For example:
{ "format": "iss_sub", "iss": "https://[TENANT_DOMAIN]/", "sub": "auth0|[USER ID]" }
- Authentication can use Client Secret (via HTTP Basic Auth or Post), Private Key JWT, or mTLS. Please refer to the detailed examples above.
Authorizations
Access token obtained from the authentication flow
Body
The client_id of your application.
A human-readable string for the user to ensure they approve the correct request.
A JSON object containing user details for authentication in the iss_sub format.
Space-separated list of OIDC and custom API scopes, including openid at a minimum.
"openid"
Optional unique identifier of the target API for access tokens.
The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to audience when the tenant's Resource Parameter Compatibility Profile is set to compatibility.
"https://api.example.com/"
Custom expiry time for the request in seconds (1-300). Defaults to 300 seconds.
300
An optional JSON array of objects that describe the permissions to be authorized. Each object’s type value should be previously registered on the resource server using the Resource Server’s authorization_details parameter. To learn more, read the Update a resource server Management API documentation.
Response
Authentication request successfully initiated.