Upgrading from 11.0.X to 11.1.0#

SDK#

Changes to BackchannelAuthenticationRequest for CIBA plugins#

The changes in this section are relevant to authors of back-channel authenticator plugins that implement the BackchannelAuthenticationHandler interface.

Version 11.1.0 adds support for the login_hint_token and id_token_hint parameters in CIBA requests. For that, it introduces a type-safe BackchannelHint sealed interface to represent all three CIBA hint types.

Changed: getSubject() can now return an empty string#

BackchannelAuthenticationRequest.getSubject() now returns an empty string when the hint is a login_hint_token, since no subject can be derived from an opaque token without further processing by the authenticator. It returns the subject string for login_hint and id_token_hint.

New: getHint() returns BackchannelHint#

A new getHint() method returns a BackchannelHint — a sealed interface with three record types that directly encode which hint parameter was provided:

  • BackchannelHint.LoginHint(String subject) — a login_hint value
  • BackchannelHint.IdTokenHint(String subject) — the subject extracted from a validated id_token_hint
  • BackchannelHint.LoginHintToken(String token) — an opaque login_hint_token, passed through as-is

Use of getHint() should be preferred to the use of getSubject().

How to update your plugin#

When possible, replace any usage of getSubject() with a pattern-matching switch on getHint(). Return failure if your plugin doesn’t support opaque tokens (login_hint_token).

Refer to the Back-Channel Authenticator Plugin documentation for full details.

Was this helpful?