Configure Auth0 to pass OpenID FAPI Certification Tests

This section contains some advice on how to configure your client if you would like to test your solution using the OpenID FAPI Conformance Tests.

To pass the OpenID FAPI Conformance Tests, first configure the following:

Then, follow the instructions below to complete your OpenID FAPI Conformance Tests configuration:

You will need to ensure that Auth0 prompts users for consent. You may skip this step if the client is configured as a first-party app, and the Resource Server or API supports skipping consent for first-party apps. To ensure Auth0 requests users for consent, set the is_first_party property on the client to false:

curl --location --request PATCH 'https://$tenant/api/v2/clients/$client_id' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
  "is_first_party": false  
}'

Was this helpful?

/

Then, promote your connection to the domain level:

curl --location --request PATCH 'https://$tenant/api/v2/connections/$connection_id' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
  "is_domain_connection": true
}'

Was this helpful?

/

Configure supported ACR claims for the tenant

The FAPI tests pass a required ACR value of urn:mace:incommon:iap:silver. To include the required ACR value in the ID token, add urn:mace:incommon:iap:silver to the list of supported ACR values for the tenant:

curl --location --request PATCH 'https://$tenant/api/v2/tentants/settings' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "acr_values_supported": ["urn:mace:incommon:iap:silver"]
}'

Was this helpful?

/

Remove the alg property from JWKS endpoint

To allow for keys to be used with multiple algorithms, not just RS256, remove the tenant's alg property from the output of the /.well-known/jwks.json endpoint:

curl --location --request PATCH 'https://$tenant/api/v2/tentants/settings' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "flags": {
        "remove_alg_from_jwks": true
    }
}'

Was this helpful?

/

Add Action to require scope and redirect_uri

By default, Auth0 allows requests without a scope, assuming the openid scope if no scope is present. Auth0 also allows requests without a redirect_uri, which you can set in Actions. However, the FAPI conformance tests require Auth0 to be more restrictive.

Add the following Action to enforce the necessary restrictions on scope and redirect_uri:

exports.onExecutePostLogin = async (event, api) => {
  if (!event.request.body || !event.request.body.refresh_token) {
    // Require a scope
    if (!event.request.query.scope) {
      api.access.deny('scope must be provided in the request');
    }
    // To improve the error message if redirect_uri is not present
    if (!event.request.query.redirect_uri) {
      api.access.deny('redirect_uri must be provided in the request');
    }
  }
};

Was this helpful?

/

Learn more