You can configure each realm to support backchannel authentication by providing a handler which will initiate and validate the requests.
The following section describes how you can create your own Plugin which will be invoked during backchannel authentication
An apex class which implements the standard Salesforce Callable and handles an action ciba:init:challenge.
The action will be passed the following parameters
client : Id : The Salesforce SObject Id for the Client requesting the backchannel authentication
scope: String[] : The list of scopes requested by the client
requested_expiry : Number : The requested expiry time in seconds for the authentication
binding_message : String : A message to display to the user to simplify the user experience. This message allows the user to link the backchannel authentication to what she was doing
resource : Id : The Salesforce SObject Id for the Resource being requested
audience : Id : The Salesforce SObject Id for the Audience being requested
user : Id : The Salesforce SObject Id for the user for whom the authentication is requested
The expected return is a Map<String, Object> with one key auth_req_id which includes a unique identifier for the current transaction
MyOIDCProviderCallable.cls
1global class MyOIDCProviderCallable implements Callable {
2 global Object call(String action, Map<String, Object> args) {
3 if (action == 'ciba:init:challenge') {
4 return MyProvider.initVerification();
5 }
6 return null;
7 }
8}
An apex class which implements the standard Salesforce Callable and handles an action ciba:verify:challenge.
The action will be passed the following parameters
auth_req_id : String : The unique identifier for the ongoing backchannel authentication request. This is the auth_req_id which was returned from the previous handler.
user : Id : The Salesforce SObject Id for the user for whom the authentication is requested
The expected return is a Map<String, Object> with the following keys :
status: String approved, denied, pending
amrs List of successful AMRs which the backchannel authentication completed
MyOIDCProviderCallable.cls
1global class MyOIDCProviderCallable implements Callable {
2 global Object call(String action, Map<String, Object> args) {
3 if (action == 'ciba:init:challenge') {
4 return MyProvider.verifyVerification();
5 }
6 return null;
7 }
8}