Configure Auth0 to pass OpenID FAPI Certification Tests

This section contains some advice on how to configure your client if you would like to test your solution using the OpenID FAPI Conformance Tests. To pass the FAPI Conformance Tests, first configure the following:

Set the compliance_level property to the desired profile, either fapi1_adv_pkj_par, fapi1_adv_mtls_par, fapi2_sp_pkj_mtls, or fapi2_sp_mtls_mtls
Either Configure mTLS (including mTLS aliases) or Configure Private Key JWT
Configure mTLS Token Binding
Configure Pushed Authorization Requests
Ensure the oidc_conformant property is set to true for any clients used for the test. This is the default value for clients created with the Auth0 Dashboard.

Then, follow the instructions below to complete your OpenID FAPI Conformance Tests configuration:

Ensure Auth0 prompts users for consent
Configure supported ACR claims for the tenant
Remove the alg property from JWKS endpoint
Add Action to require scope and redirect_uri
(FAPI2 profiles only) Ensure iss claim is returned in responses

You will need to ensure that Auth0 prompts users for consent. You may skip this step if the client is configured as a first-party app, and the or API supports skipping consent for first-party apps. To ensure Auth0 requests users for consent, set the is_first_party property on the client to false:

curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/clients/YOUR_CLIENT_ID' \
  --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
  --header 'Content-Type: application/json' \
  --data-raw '{
  "is_first_party": false  
}'

Then, promote your connection to the domain level:

curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/connections/YOUR_CONNECTION_ID' \
  --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
  --header 'Content-Type: application/json' \
  --data-raw '{
  "is_domain_connection": true
}'

Configure supported ACR claims for the tenant

The FAPI tests pass a required ACR value of urn:mace:incommon:iap:silver. To include the required ACR value in the , add urn:mace:incommon:iap:silver to the list of supported ACR values for the tenant:

curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/tenants/settings' \
  --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "acr_values_supported": ["urn:mace:incommon:iap:silver"]
}'

Remove the alg property from JWKS endpoint

To allow for keys to be used with multiple algorithms, not just RS256, remove the tenant’s alg property from the output of the /.well-known/jwks.json endpoint:

curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/tenants/settings' \
  --header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "flags": {
        "remove_alg_from_jwks": true
    }
}'

Add Action to require scope and redirect_uri

By default, Auth0 allows requests without a scope, assuming the openid scope if no scope is present. Auth0 also allows requests without a redirect_uri, which you can set in Actions. However, the FAPI conformance tests require Auth0 to be more restrictive. Add the following Action to enforce the necessary restrictions on scope and redirect_uri:

exports.onExecutePostLogin = async (event, api) => {
  if (!event.request.body || !event.request.body.refresh_token) {
    // Require a scope
    if (!event.request.query.scope) {
      api.access.deny('scope must be provided in the request');
    }
    // To improve the error message if redirect_uri is not present
    if (!event.request.query.redirect_uri) {
      api.access.deny('redirect_uri must be provided in the request');
    }
  }
};

(FAPI2 profiles only) Ensure `iss` claim is returned in responses

The FAPI 2.0 Security Profile requires that the iss parameter is returned in authorization responses according to RFC9207. For compatibility reasons, Auth0 does not do this by default. To enable this behaviour, set the authorization_response_iss_parameter_supported property in tenant settings to true.

curl --location --request PATCH "https://{YOUR_DOMAIN}/api/v2/tenants/settings" \
  --header "Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}" \
  --header "Content-Type: application/json" \
  --data-raw '{
    "authorization_response_iss_parameter_supported": true
  }'

Auth0 Onboarding

Learn the Basics

Configure Auth0

Plan and Design

Auth0 AI

Configure Auth0 to pass OpenID FAPI Certification Tests

Configure supported ACR claims for the tenant

Remove the alg property from JWKS endpoint

Add Action to require scope and redirect_uri

(FAPI2 profiles only) Ensure `iss` claim is returned in responses

Learn more

Auth0 Onboarding

Learn the Basics

Configure Auth0

Plan and Design

Auth0 AI

​Ensure Auth0 prompts users for consent

​Configure supported ACR claims for the tenant

​Remove the alg property from JWKS endpoint

​Add Action to require scope and redirect_uri

​(FAPI2 profiles only) Ensure iss claim is returned in responses

​Learn more

Ensure Auth0 prompts users for consent

Configure supported ACR claims for the tenant

Remove the alg property from JWKS endpoint

Add Action to require scope and redirect_uri

(FAPI2 profiles only) Ensure `iss` claim is returned in responses

Learn more