I am going through CIBA specifications and could not understand what is user_code and how it needs to be deployed for CIBA.
"User code is a mechanism to prevent unsolicited authentication requests from appearing on a user's authentication device. "
This is how the specification begins with.See section 7.1.2 for more.
It Will be helpful if someone could explain this functionality and how it should be supported in an Identity server point of view!!
This may be a bit late, but I hope it can help future readers if so. The user_code mechanism is to prevent unwanted CIBA request appearing on an end user's Authorization Device (AD). There might be instances a Relying Party (RP) or client application, which uses the CIBA Authorization Server (OP), knows the end user's identifier thus resulting in subsequent requests which the end user doesn't what at the current time. So as a preventive measure, a user_code must be supplied before a CIBA request can start, do its thing in the AD etc. This is to make sure CIBA request that pops up on an end user's AD is really "wanted" or should I say under the conscious knowledge of an end user.
The way a user_code is structured is similar to a password. It's a secret that only the end user has the knowledge of... but it should be other than a password.
So for the implementation aspect, a rough approach could be like below: