CIBA implementation

[tusharpandey13]

Add support for Client Initiated Backchannel Login
Docs

The backchannel login endpoint enables applications to send an authentication request to a user’s phone (provided they have an app installed and have enrolled for Push Notification authentication using the Guardian SDK). It can be useful to authenticate users who are not physically present, such as users phoning a call center, or where the device being used does not have a screen, such as a shared bicycle or scooter.

Changes:

• Added backchannel property in authenticationClient, source located at src/auth/backchannel.ts
• Added unit tests for CIBA

Test results:

PASSING

Test Suites: 44 passed, 44 total
Tests:       1435 passed, 1435 total
Snapshots:   0 total
Time:        6.663 s, estimated 7 s
Ran all test suites.

Steps for manual testing:

• Enable CIBA feature flag on your tenant (currently in EA)

• Once CIBA is enabled, navigate to Applications>Applications in the Auth0 Dashboard. Create
  an application and then enable the Client Initiated Backchannel Authentication (CIBA) option
  in the Grant Types tab

• Enable Push Notifications using Auth0 Guardian in Multi-factor Auth in Security.

• Enrol a user for MFA

• Send a CIBA request as below and poll for the backchannel grant in regular intervals

const authorizationResponse = await authenticationClient.backchannel.authorize({
  userId: 'auth0|677d2de6e2095a483f033b14',
  binding_message: 'some message here',
  scope: 'openid'
})

console.log(JSON.stringify(authorizationResponse));

await(setTimeout(5000));

const grantResponse = await authenticationClient.backchannel.backchannelGrant({auth_req_id: authorizationResponse.auth_req_id});
console.log(JSON.stringify(grantResponse));

Notes:

There are some restrictions on the types of clients that can use the CIBA grant type. You can
only use the CIBA grant type if:

• The client is a first-party client i.e. the is_first_party property is true.
• The client is confidential with an authentication mechanism, i.e. the
  token_endpoint_auth_method property must not be set to none.
• The client is OIDC conformant i.e. the oidc_conformant must be true. tThis is the
  default for all new clients.

Alternatively, you can use the Management API to add the
urn:openid:params:grant-type:ciba grant type to the list of grant types on the client
object:

curl --location --request PATCH 'https://[YOURTENANT].auth0.com/api/v2/clients/[CLIENT ID]' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer [MANAGEMENT ACCESS TOKEN]' \
--data '{
"grant_types": [
"authorization_code",
"refresh_token",
"urn:openid:params:grant-type:ciba"
]
}'

[siacomuzzi]

@tusharpandey13 What's the reason for using camel-case here when the rest of the options are in snake-case?

[siacomuzzi]

@tusharpandey13 What is the purpose of this option? I can't find it in the POST /bc-authorize doc: https://auth0.com/docs/api/authentication#back-channel-login

[siacomuzzi]

@tusharpandey13 Why is this parameter a string if it refers to a number of seconds?