<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Client Initiated Backchannel Authentication Not Available for Single Page Applications
Mar 6, 2026
Okta Identity Engine
API Access Management
Overview

When attempting to configure Client Initiated Backchannel Authentication (CIBA) for a Single Page Application (SPA), the option to enable the CIBA flow is not visible in the Okta Admin Console. Customers seeking to implement this flow will find that the toggle or configuration settings are missing from the application settings. Additionally, users may be unaware that CIBA requires the use of a Custom Authenticator App to process out-of-band authorization requests.

Applies To
  • Okta Identity Engine (OIE)
  • Single Page Applications (SPA)
  • Client Initiated Backchannel Authentication (CIBA)
  • Application Configuration
  • Custom Authenticator Apps (SDK-based)
Cause

Okta currently only supports the CIBA flow for the Web Application type. Single Page Applications (SPA) do not have the architectural requirements or internal configuration options to support the CIBA flow at this time. Furthermore, CIBA requires a backchannel communication path to a Custom Authenticator App built with the Okta Devices SDK to prompt the user for approval.

Solution

To use the CIBA flow, the application must be configured as a Web Application. Additionally, a Custom Authenticator must be developed and configured to handle the push challenges.

Part 1: Configure the Web Application

 

  1. Log in to the Okta Admin Console.
  2. Navigate to Applications > Applications.
  3. Click Create App Integration.
  4. Select OIDC - OpenID Connect as the Sign-in method.
  5. Select Web Application as the Application type.
    • NOTE: CIBA is not supported if the Single-Page Application option is selected.
  6. Click Next and configure the application settings.
  7. Once created, navigate to the General tab of the new Web App.
  8. In the Client Protocol section, click Edit.
  9. Under Allowed grant types, select Client Initiated Backchannel Authentication.
  10. Click Save.

 

Part 2: Enable Custom Authenticator App

Because CIBA relies on a "consumption" device to approve the login initiated by the "instruction" device, the following must be done:

  1. Develop a mobile application using the Okta Devices SDK.
  2. Register this app as a Custom Authenticator in the Okta Admin Console under Security > Authenticators.
  3. Ensure the user is enrolled in this Custom Authenticator to receive the CIBA push notification.

Related References

Recommended content

Still looking for help?
Loading
Client Initiated Backchannel Authentication Not Available for Single Page Applications