Configure Auth0 to pass OpenID FAPI Certification Tests

This section contains some advice on how to configure your client if you would like to test your solution using the OpenID FAPI Conformance Tests.

To pass the OpenID FAPI Conformance Tests, first configure the following:

• Set the compliance_level property to the desired profile, either fapi1_adv_pkj_par or fapi1_adv_mtls_par

• Either Configure mTLS (including mTLS aliases) or Configure Private Key JWT

• Configure mTLS Token Binding

Then, follow the instructions below to complete your OpenID FAPI Conformance Tests configuration:

• Ensure Auth0 prompts users for consent

• Configure supported ACR claims for the tenant

• Remove the alg property from JWKS endpoint

• Add Action to require scope and redirect_uri

You will need to ensure that Auth0 prompts users for consent. You may skip this step if the client is configured as a first-party app, and the Resource Server or API supports skipping consent for first-party apps. To ensure Auth0 requests users for consent, set the is_first_party property on the client to false:

curl --location --request PATCH 'https://$tenant/api/v2/clients/$client_id' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
  "is_first_party": false  
}'

Then, promote your connection to the domain level:

curl --location --request PATCH 'https://$tenant/api/v2/connections/$connection_id' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
  "is_domain_connection": true
}'

The FAPI tests pass a required ACR value of urn:mace:incommon:iap:silver. To include the required ACR value in the ID token, add urn:mace:incommon:iap:silver to the list of supported ACR values for the tenant:

curl --location --request PATCH 'https://$tenant/api/v2/tentants/settings' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "acr_values_supported": ["urn:mace:incommon:iap:silver"]
}'

To allow for keys to be used with multiple algorithms, not just RS256, remove the tenant's alg property from the output of the /.well-known/jwks.json endpoint:

curl --location --request PATCH 'https://$tenant/api/v2/tentants/settings' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "flags": {
        "remove_alg_from_jwks": true
    }
}'

By default, Auth0 allows requests without a scope, assuming the openid scope if no scope is present. Auth0 also allows requests without a redirect_uri, which you can set in Actions. However, the FAPI conformance tests require Auth0 to be more restrictive.

Add the following Action to enforce the necessary restrictions on scope and redirect_uri:

exports.onExecutePostLogin = async (event, api) => {
  if (!event.request.body || !event.request.body.refresh_token) {
    // Require a scope
    if (!event.request.query.scope) {
      api.access.deny('scope must be provided in the request');
    }
    // To improve the error message if redirect_uri is not present
    if (!event.request.query.redirect_uri) {
      api.access.deny('redirect_uri must be provided in the request');
    }
  }
};

• Configure Private Key JWT Authentication
• Configure mTLS Authentication