feat: Add CIBA (Client-Initiated Backchannel Authentication) support (RFC 9126)

[rsharath]

Summary

Add support for Client-Initiated Backchannel Authentication (CIBA) as defined in RFC 9126 and the OpenID Connect CIBA spec. CIBA enables headless AI agents to initiate authentication on behalf of a user without requiring a browser redirect — the user approves via an out-of-band channel (push notification, email, or voice call).

Motivation

CIBA is a critical flow for autonomous agent scenarios where:

• An agent needs user authorization but has no browser context (e.g., background orchestrators, CLI tools, MCP servers)
• A human-in-the-loop approval step is required before an agent acts on behalf of a user
• The agent operates in a headless environment (server-side, container, CI/CD pipeline)

This was identified as a gap compared to other agent identity platforms that support CIBA for headless agent approval flows.

Requirements

New Grant Type

• Register urn:openid:params:grant-type:ciba as a new grant type
• Implement backchannel authentication endpoint (POST /oauth2/bc-authorize)
• Implement polling mode: agent polls token endpoint with auth_req_id
• Implement ping mode: server notifies agent callback URL when user approves
• Support push mode (optional): server delivers token directly to agent callback

Authentication Request

• Accept login_hint (user identifier — email, phone, user ID)
• Accept scope and binding_message (human-readable context for approval prompt)
• Accept requested_expiry for auth request TTL (default configurable, bounded by credential policy)
• Return auth_req_id, expires_in, and interval (polling interval)

User Approval

• Define BackchannelNotifier interface for pluggable notification delivery:

  type BackchannelNotifier interface {
      Notify(ctx context.Context, req BackchannelAuthRequest) error
  }

• Ship with no built-in notifier — users bring their own (push, email, SMS, Twilio, etc.)
• Expose Server.SetBackchannelNotifier() hook for registration
• Approval endpoint for user to accept/deny (POST /oauth2/bc-authorize/{auth_req_id}/approve)

Token Issuance

• On approval, issue tokens via standard token endpoint with grant_type=urn:openid:params:grant-type:ciba
• Enforce credential policy constraints (TTL, scopes, trust level)
• Support delegation: issued token can carry act claim if agent is acting on behalf of user
• Pending requests expire after requested_expiry or server default

Storage

• New backchannel_auth_requests table: auth_req_id, account_id, project_id, client_id, login_hint, scope, binding_message, status (pending/approved/denied/expired), expires_at, created_at

Integration with Existing Features

• Credential policy enforcement on CIBA-issued tokens
• CAE signal support — revoke CIBA-issued tokens on risk signals
• Cascade revocation if CIBA token is used as subject_token in token exchange
• Introspection and revocation endpoints work with CIBA-issued tokens

Non-Goals (for initial implementation)

• Built-in push notification or SMS delivery (pluggable interface only)
• CIBA with signed authentication requests (JWT-secured authorization requests)

References

• RFC 9126 - OAuth 2.0 Pushed Authorization Requests
• OpenID Connect CIBA Core
• CIBA Flow Diagram