Adding Support For CIBA with RAR (#679)

### Changes

- Added support for Rich Authorization Request in CIBA.


### References

- [Open
ID](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html)
- [User Authentication with
CIBA](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow/user-authentication-with-ciba)

- [Configure Client-Initiated Backchannel
Authentication](https://auth0.com/docs/get-started/applications/configure-client-initiated-backchannel-authentication#integrate-guardian-sdk-into-your-application)

### Testing

- [x] This change adds test coverage

- [x] This change has been tested on the latest version of the
platform/language or why not

### Contributor Checklist

- [x] I agree to adhere to the [Auth0 General Contribution
Guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md).
- [x] I agree to uphold the [Auth0 Code of
Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md).

---------

Co-authored-by: Kunal Dawar <[email protected]>

Author: kishore7snehil

.snyk

@@ -9,4 +9,8 @@ ignore:
   SNYK-PYTHON-REQUESTS-40470:
     - '*':
         reason: 'patched in latest python versions: https://bugs.python.org/issue27568'
+  "snyk:lic:pip:certifi:MPL-2.0":
+    - '*':
+        reason: "Accepting certifi’s MPL-2.0 license for now"
+        expires: "2030-12-31T23:59:59Z"
 patch: {}

auth0/authentication/back_channel_login.py

@@ -34,4 +34,5 @@ def back_channel_login(
                 "scope": scope,
                 **kwargs,
             },
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
         )

auth0/test/authentication/test_back_channel_login.py

@@ -1,6 +1,7 @@
 
 import unittest
 from unittest import mock
+import json
 
 import requests
 from ...exceptions import Auth0Error, RateLimitError
@@ -74,5 +75,64 @@ def test_should_require_scope(self, mock_post):
         # Assert the error message is correct
         self.assertIn("missing 1 required positional argument: \'scope\'", str(context.exception))
 
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_with_authorization_details(self, mock_post):
+        g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
+        g.back_channel_login(
+            binding_message="This is a binding message.",
+            login_hint={"format": "iss_sub", "iss": "https://my.domain.auth0.com/", "sub": "auth0|USER_ID"},
+            scope="openid",
+            authorization_details=[
+                {
+                    "type":"payment_initiation","locations":["https://example.com/payments"],
+                    "instructedAmount":
+                    {
+                        "currency":"EUR","amount":"123.50"
+                    },
+                    "creditorName":"Merchant A",
+                    "creditorAccount":
+                    {
+                        "bic":"ABCIDEFFXXX",
+                        "iban":"DE021001001093071118603"
+                    },
+                    "remittanceInformationUnstructured":"Ref Number Merchant"
+                }
+            ],
+        )
+
+        args, kwargs = mock_post.call_args
+
+        expected_data = {
+            "client_id": "cid",
+            "client_secret": "clsec",
+            "binding_message": "This is a binding message.",
+            "login_hint": {"format": "iss_sub", "iss": "https://my.domain.auth0.com/", "sub": "auth0|USER_ID" },
+            "scope": "openid",
+            "authorization_details": [
+                {
+                    "type":"payment_initiation","locations":["https://example.com/payments"],
+                    "instructedAmount":
+                    {
+                        "currency":"EUR","amount":"123.50"
+                    },
+                    "creditorName":"Merchant A",
+                    "creditorAccount":
+                    {
+                        "bic":"ABCIDEFFXXX",
+                        "iban":"DE021001001093071118603"
+                    },
+                    "remittanceInformationUnstructured":"Ref Number Merchant"
+                }],
+        }
+
+        actual_data = kwargs["data"]
+            
+        self.assertEqual(args[0], "https://my.domain.com/bc-authorize")
+    
+        self.assertEqual(
+            json.dumps(actual_data, sort_keys=True), 
+            json.dumps(expected_data, sort_keys=True)
+        )
+
 
 

auth0/test/authentication/test_pushed_authorization_requests.py

@@ -48,7 +48,7 @@ def test_par_custom_params(self, mock_post):
         )
 
     @mock.patch("auth0.rest.RestClient.post")
-    def test_rar(self, mock_post):
+    def test_with_authorization_details(self, mock_post):
         a = PushedAuthorizationRequests("my.domain.com", "cid", client_secret="sh!")
         a.pushed_authorization_request(
             response_type="code", 

poetry.lock

@@ -5,13 +5,13 @@ argcomplete==3.5.3 ; python_version >= "3.7" and python_version < "4.0"
 async-timeout==4.0.3 ; python_version >= "3.7" and python_version < "4.0"
 asynctest==0.13.0 ; python_version >= "3.7" and python_version < "3.8"
 attrs==23.1.0 ; python_version >= "3.7" and python_version < "4.0"
-certifi==2023.11.17 ; python_version >= "3.7" and python_version < "4.0"
+certifi==2025.1.31 ; python_version >= "3.7" and python_version < "4.0"
 cffi==1.17.1 ; python_version >= "3.7" and python_version < "4.0"
 charset-normalizer==3.2.0 ; python_version >= "3.7" and python_version < "4.0"
 click==8.1.7 ; python_version >= "3.7" and python_version < "4.0"
 colorama==0.4.6 ; python_version >= "3.7" and python_version < "4.0" and sys_platform == "win32" or python_version >= "3.7" and python_version < "4.0" and platform_system == "Windows"
 coverage[toml]==7.2.7 ; python_version >= "3.7" and python_version < "4.0"
-cryptography==43.0.1 ; python_version >= "3.7" and python_version < "4.0"
+cryptography==44.0.1 ; python_version >= "3.7" and python_version < "4.0"
 exceptiongroup==1.1.3 ; python_version >= "3.7" and python_version < "3.11"
 frozenlist==1.5.0 ; python_version >= "3.7" and python_version < "4.0"
 idna==3.10 ; python_version >= "3.7" and python_version < "4.0"
@@ -24,18 +24,18 @@ pipx==1.2.0 ; python_version >= "3.7" and python_version < "4.0"
 pluggy==1.2.0 ; python_version >= "3.7" and python_version < "4.0"
 pycparser==2.21 ; python_version >= "3.7" and python_version < "4.0"
 pyjwt==2.8.0 ; python_version >= "3.7" and python_version < "4.0"
-pyopenssl==23.3.0 ; python_version >= "3.7" and python_version < "4.0"
+pyopenssl==25.0.0 ; python_version >= "3.7" and python_version < "4.0"
 pytest-aiohttp==1.0.4 ; python_version >= "3.7" and python_version < "4.0"
 pytest-asyncio==0.23.8 ; python_version >= "3.7" and python_version < "4.0"
 pytest-cov==4.1.0 ; python_version >= "3.7" and python_version < "4.0"
 pytest==7.4.0 ; python_version >= "3.7" and python_version < "4.0"
 pyyaml==6.0.2 ; python_version >= "3.7" and python_version < "4.0"
-requests==2.31.0 ; python_version >= "3.7" and python_version < "4.0"
+requests==2.32.3 ; python_version >= "3.7" and python_version < "4.0"
 responses==0.23.3 ; python_version >= "3.7" and python_version < "4.0"
 tomli==2.0.1 ; python_version >= "3.7" and python_full_version <= "3.11.0a6"
 types-pyyaml==6.0.12.11 ; python_version >= "3.7" and python_version < "4.0"
 typing-extensions==4.7.1 ; python_version >= "3.7" and python_version < "3.8"
-urllib3==2.0.7 ; python_version >= "3.7" and python_version < "4.0"
+urllib3==2.2.2 ; python_version >= "3.7" and python_version < "4.0"
 userpath==1.9.0 ; python_version >= "3.7" and python_version < "4.0"
 yarl==1.9.2 ; python_version >= "3.7" and python_version < "4.0"
-zipp==3.15.0 ; python_version >= "3.7" and python_version < "3.8"
+zipp==3.19.1 ; python_version >= "3.7" and python_version < "3.8"