Configure Auth0 to pass OpenID FAPI Certification Tests
This section contains some advice on how to configure your client if you would like to test your solution using the OpenID FAPI Conformance Tests.
To pass the OpenID FAPI Conformance Tests, first configure the following:
Set the
compliance_level
property to the desired profile, eitherfapi1_adv_pkj_par
orfapi1_adv_mtls_par
Either Configure mTLS (including mTLS aliases) or Configure Private Key JWT
Then, follow the instructions below to complete your OpenID FAPI Conformance Tests configuration:
Ensure Auth0 prompts users for consent
You will need to ensure that Auth0 prompts users for consent. You may skip this step if the client is configured as a first-party app, and the Resource Server or API supports skipping consent for first-party apps. To ensure Auth0 requests users for consent, set the is_first_party
property on the client to false
:
curl --location --request PATCH 'https://$tenant/api/v2/clients/$client_id' \
--header 'Authorization: Bearer $management_access_token' \
--header 'Content-Type: application/json' \
--data-raw '{
"is_first_party": false
}'
Was this helpful?
Then, promote your connection to the domain level:
curl --location --request PATCH 'https://$tenant/api/v2/connections/$connection_id' \
--header 'Authorization: Bearer $management_access_token' \
--header 'Content-Type: application/json' \
--data-raw '{
"is_domain_connection": true
}'
Was this helpful?
Configure supported ACR claims for the tenant
The FAPI tests pass a required ACR value of urn:mace:incommon:iap:silver
. To include the required ACR value in the ID token, add urn:mace:incommon:iap:silver
to the list of supported ACR values for the tenant:
curl --location --request PATCH 'https://$tenant/api/v2/tentants/settings' \
--header 'Authorization: Bearer $management_access_token' \
--header 'Content-Type: application/json' \
--data-raw '{
"acr_values_supported": ["urn:mace:incommon:iap:silver"]
}'
Was this helpful?
Remove the alg property from JWKS endpoint
To allow for keys to be used with multiple algorithms, not just RS256, remove the tenant's alg
property from the output of the /.well-known/jwks.json
endpoint:
curl --location --request PATCH 'https://$tenant/api/v2/tentants/settings' \
--header 'Authorization: Bearer $management_access_token' \
--header 'Content-Type: application/json' \
--data-raw '{
"flags": {
"remove_alg_from_jwks": true
}
}'
Was this helpful?
Add Action to require scope and redirect_uri
By default, Auth0 allows requests without a scope, assuming the openid
scope if no scope is present. Auth0 also allows requests without a redirect_uri,
which you can set in Actions. However, the FAPI conformance tests require Auth0 to be more restrictive.
Add the following Action to enforce the necessary restrictions on scope and redirect_uri
:
exports.onExecutePostLogin = async (event, api) => {
if (!event.request.body || !event.request.body.refresh_token) {
// Require a scope
if (!event.request.query.scope) {
api.access.deny('scope must be provided in the request');
}
// To improve the error message if redirect_uri is not present
if (!event.request.query.redirect_uri) {
api.access.deny('redirect_uri must be provided in the request');
}
}
};
Was this helpful?