As organizations increasingly adopt agentic architectures through the MuleSoft Agent Fabric, the challenge of maintaining secure, context-aware identity across distributed services has become a critical challenge. We’re excited to announce a major enhancement to our Trusted Agent Identity capability: the addition of OpenID Connect Client-Initiated Backchannel Authentication (CIBA) support within the MuleSoft Flex Gateway’s On-Behalf-Of (OBO) Governance policy.
What is OpenID Connect CIBA?
CIBA is an extension of OpenID Connect (OIDC) protocol that enables just-in-time (JIT), out-of-band (OOB) and human-in-the-loop (HITL) approval for high-risk or privileged operations as needed by down-stream agents or services without browser redirects or disrupting the user’s current session.
While traditional OpenID Connect relies on browser redirects to authenticate users, CIBA uses a secure backchannel between the client and an OIDC compliant IdP. This enables CIBA to deliver a modern authentication experience by decoupling the user’s authentication process from the device or channel initiating the request.
This approach allows the downstream agent or service (the relying party in OIDC terminology) to initiate authentication independently where the user securely authenticates on their own trusted device, typically leveraging an approved authenticator app on an appropriately enrolled device.
This pattern is suitable in use cases like:
- Customer support interaction requiring out-of-band identity verification
- High-value transaction approvals (financial transfers or data access escalations)
- Agentic workflows where a backend service needs real-time human approval before proceeding with a sensitive operation
Introducing the CIBA-enhanced OBO policy
The CIBA capability is integrated into the Flex Gateway OAuth2 OBO Credential Injection policy, as an optional configuration. When CIBA is enabled and when an agent attempts to access a CIBA protected resource, the OIDC compliant IdPs demand out-of-band authentication. It then automatically triggers a push notification to an approved device, or any other out of band mechanism (e.g. email, text/SMS, authenticator apps, etc.) to authorize the request without the user ever leaving the original application context.
Key benefits
- Transparent step-up authentication: Handle MFA requirements mid-flow without redirecting the user or breaking the agentic experience
- Zero app code changes: CIBA is enabled entirely through administrative policy configuration at the Flex Gateway level. Upstream clients or downstream systems require no modification
- Enhanced auditability: Maintain user-centric audit trails across service chains, ensuring that every interaction within your agent network is attributable to a specific, verified user intent
- True zero-trust: Empower backend services to request real-time step-up authentication for high-risk activities, aligning with the strictest security standards
Understanding the “enable CIBA” configuration
This capability is being exposed as a new, optional configuration section within the existing OBO policy. When the “Enable CIBA” flag is enabled, the gateway follows the CIBA flow:
- Out-of-band approval: The gateway sends a backchannel authorization request to the IdP, which triggers a notification on the user’s enrolled device
- Background polling: While the request is pending, the gateway performs non-blocking polling of the IdP. Once the user approves, the gateway receives the new token and makes it available to the client
- Client retries request: The client forwards the original request to the downstream service with the new token.
CIBA configuration in OBO policy
The following parameters are now available in the Flex Gateway policy configuration:
| Parameter | Description |
|---|---|
| cibaEnabled | A binary flag to activate CIBA capabilities within the OBO policy. This is a required parameter |
| cibaEndpoint | The backchannel authorization endpoint provided by your OIDC-compliant IdP |
| loginHintClaim | Defines which claim (e.g. email, sub) to extract from the subject token to identify the user for the push notification |
| bindingMessage | An optional human readable message shown to the user on their mobile device for additional context (e.g. “App 1 → App 2 access request”) |
Getting started
- Upgrade to Flex Gateway v 1.11.0 or later
- Enable CIBA on your IdP and enroll users for out-of-band authentication
- Locate your IdP’s CIBA endpoint from OIDC discovery document https://<your-idp>/.well-known/openid-configuration – look for backchannel_authentication_endpoint
- Test with low risk, non-production resource before rolling out to production
For a detailed walkthrough on setting up these policies, visit our official documentation and the OIDC CIBA Specification.
