Understanding the Flow
Auth0 implements asynchronous authorization using the Client-Initiated Backchannel Authentication (CIBA) standard, enhanced with Rich Authorization Requests (RAR).- CIBA is an OpenID Foundation specification that defines a decoupled flow where a client application (the AI agent’s backend, for example) can initiate an authentication request without direct interaction from the user on the same device. The user then approves or denies the request on a separate, trusted authentication device (like a mobile phone), typically via a push notification to an authenticator app or via SMS or email.
- RAR is an OAuth 2.0 extension that allows client applications to request more complex permissions beyond standard OAuth 2.0 scopes in an authorization request. It allows the agent to send a detailed, structured payload describing the exact transaction. This provides the user with specific, verifiable context such as “Approve payment of $50.00 to ExampleCorp”, instead of a generic prompt, which is critical for establishing user trust and security. Using RAR is optional for a CIBA flow.
1
Initiation
The agent’s backend identifies a need for user approval and sends a CIBA
request to the Auth0
/bc-authorize endpoint. This request includes a user
identifier and the optional RAR payload in the (authorization_details)
parameter.2
Acknowledgment
Auth0 immediately acknowledges the request by returning a unique
auth_req_id.3
Polling
The agent’s backend uses
auth_req_id to begin polling the Auth0 /token
endpoint to check for completion.4
User consent
In parallel, Auth0 sends a notification (e.g., push, SMS, or email) to the
user’s authentication device, displaying the rich context from the RAR
payload. The user approves or denies the request.
5
Token issuance
Once the user approves, the next polling request from the agent’s backend to
the
/token endpoint will succeed. Auth0 returns the required access and ID
tokens, allowing the agent to complete the authorized action.