Back-Channel Authenticators
An authenticator is an extensible interface to enable users to authenticate. Back-Channel Authenticators Authenticators use backend endpoints that verify a proof of the user's identity.
Getting Started#
To create a back-channel authenticator, sign in to the Admin UI and navigate to Profiles → Authentication Service → Back-channel Authenticators.
Then select the + New Authenticator option to select from one of the built-in options.
Create a Back-Channel Authenticator
When getting started, choose a simple option like Email Back-channel.
Enable Back-channel Authentication
Navigate to client-settings (in Token Profile) and make sure to enable Back-channel Authentication.
Create a Client that uses the Back-Channel Authenticator
Next, create a client with the Back-channel Authentication capability and configure it to use the created authenticator.
Run a Client Initiated Back-Channel Authentication (CIBA) flow
Next, the client triggers user authentication, most commonly with an OAuth code flow.
The Getting Started Guides on the Curity website guide you through these steps. Before integrating a client you can use OAuth Tools as a test client.
Extensibility Points#
To create new types of back-channel authenticators see Back-Channel Authentication Plugin in the Developer Guide .
Back-channel authenticators can integrate with other key interfaces to enable you to compose user authentication behaviors in powerful ways. This capability can be critical when you onboard to the Curity Identity Server, and need to run old and new identity solutions side-by-side.
Credential Managers
An authenticator uses a credential manager to verify password credentials. Custom credential managers can enable migrations to the Curity Identity Server without password changes.
Account Managers
An authenticator can use an account manager to operate on attributes of user accounts. For example, the HTML Forms authenticator uses an account manager in its self-signup screen.
Data Sources
Authenticators, credential managers and account managers can integrate with data sources. You can use various SQL or NoSQL data sources or even use a REST API to adapt bespoke data sources.
Authentication Actions
You can link authenticators to authentication actions to integrate any custom data, logic or presentation into authentication flows. For example, an action can present a form that prompts the user to accept legal terms.
Custom Authenticators
You can develop a custom authenticator that uses frontend components and backend HTTP endpoints. For example, a plugin could integrate with legacy identity systems or use a third-party SDK to scan passport information.
Curity Online Training#
The best way to learn about authenticators is to implement flows that use them. The Administrator Training Courses walk you through a number of authentication flows to explain how to use various mainstream authenticators.