Skip to main content
Demonstrating Proof-of-Possession (DPoP) for Enterprise connections is currently in Early Access. By using this feature, you agree to the applicable Free Trial terms in Okta’s Master Subscription Agreement. To learn more about product release stages, read Product Release Stages.
Demonstrating Proof-of-Possession (DPoP) is an OAuth 2.0 framework extension that binds or sender constrains access tokens using asymmetric cryptography and JSON Web Tokens (JWTs) at the application layer. If you use Okta or OpenID Connect (OIDC) as your identity provider (IdP) and have configured them as an Enterprise connection in Auth0, then you can enable and configure DPoP to bind access tokens from your IdP to cryptographic keys. Using DPoP prevents token replay attacks and helps meet compliance requirements, such as IPSIE OIDC Security Level 1. To learn more about DPoP, read Demonstrating Proof-of-Possession (DPoP).

Before you start

Before you enable DPoP in Auth0:
  • Your upstream identity provider must support DPoP according to specification RFC-9449.
  • You must have an existing OIDC or Okta Enterprise connection or be able to create one. To learn how to create an Enterprise connection in Auth0, read Enterprise Connections.
  • The connection must not be configured to use Token Vault.
  • The connection should use Proof Key for Code Exchange (PKCE) Authorization Code Flow + PKCE, which is enabled upstream if your identity provider supports PKCE.
  • The connection must be type back_channel.

Verify upstream IdP support

Examine your IdP’s OIDC discovery document to determine the DPoP support: 
curl https://YOUR_IDP_DOMAIN/.well-known/openid-configuration
In the response, search for the DPoP supported value dpop_signing_alg_values_supported. Example 
{
  "dpop_signing_alg_values_supported": ["ES256", "Ed25519", "RS256"] 
},

Choose a signing algorithm

Before you configure DPoP, choose a supported signing algorithm from the options:
AlgorithmDescriptionWhen to use
ES256ECDSA with P-256 curve and SHA-256Your identity provider supports ES256.
Ed25519EdDSA with Curve25519Your identity provider requires Ed25519 for compliance.
Choose ES256 unless your identity provider specifically requires Ed25519. Most identity providers support ES256, and it provides equivalent security with broad compatibility.

Enable DPoP

Use the Management API to configure the DPoP JWT claim, alg, the signing algorithm for your Enterprise connection. To use the Management API, you need to get a Management API access token. Make a PATCH request to the Update a connection endpoint with dpop_signing_alg_values_supported in the options object: 
PATCH https://YOUR_DOMAIN/api/v2/connections/YOUR_CONNECTION_ID
Content-Type: application/json
Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN

{
  "options": {
    "dpop_signing_alg": "ES256"
  }
}
Replace the placeholder values:
  • YOUR_DOMAIN: Your Auth0 tenant domain. Example: travel0.us.auth0.com.
  • YOUR_CONNECTION_ID: The ID of your OIDC or Okta Enterprise connection.
  • YOUR_MANAGEMENT_API_TOKEN: A Management API token with update:connections scope

Test DPoP

After enabling DPoP, test the configuration by initiating a login flow:
  1. Navigate to your application.
  2. Start a login using your configured Enterprise connection.
  3. Complete authentication with your upstream identity provider.
  4. Check Auth0 logs by navigating to Auth0 Dashboard > Monitoring > Logs for confirmation.
A sucessful transaction in a log entry should be similar to: 
{
  "type": "s",
  "description": "Success Login",
  "details": {
    "dpop_signing_alg": "ES256",
   }
}

Disable DPoP

To disable DPoP, remove the dpop_signing_alg property from your connection configuration: 
PATCH https://YOUR_DOMAIN/api/v2/connections/YOUR_CONNECTION_ID
Content-Type: application/json
Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN

{
  "options": {

  }
}

Troubleshoot

Use the following recommendations to help diagnose and resolve issues with DPoP configuration for OIDC and Okta enterprise connections.

Check configuration

Before you start to troubleshoot, verify your DPoP configuration.
  1. Navigate to Auth0 Dashboard > Authentication > Enterprise.
  2. Select your Okta or OIDC connection.
  3. Verify the connection is not configured with Token Vault by navigating to Advanced Settings > Grant Types. Make sure Token Vault is not selected.
  4. Use Management API’s Update a connection endpoint to check the dpop_signing_alg setting:
GET https://YOUR_DOMAIN/api/v2/connections/YOUR_CONNECTION_ID
Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN
Check for the dpop_signing_alg property in the response: 
{
  "options": {
    "dpop_signing_alg": "ES256"
  }
}

Authentication fails after enabling DPoP

Review the following troubleshooting techniques if your users cannot complete authentication after you have enabled DPoP on your Okta or OIDC enterprise connection.

Identity provider does not support DPoP

Check the IdP’s OpenID Connect discovery document: 
curl https://YOUR_IDP_DOMAIN/.well-known/openid-configuration
If dpop_signing_alg_values_supported is missing, then the identity provider does not support DPoP. You need to disable DPoP for this connection or contact your identity provider to enable DPoP support.

Mismatch algorithm

The identity provider may not support the algorithm you configured. Check the supported algorithms in the discovery for the algorithm you selected for DPoP with Auth0: 
{
  "dpop_signing_alg_values_supported": ["RS256"]
}
If your identity provider supports only RS256, DPoP is not available during Early Access. Disable DPoP or wait for RSA algorithm support.

Token Vault conflict

DPoP is not compatible with Token Vault. Check your connection configuration with Management API’s Get a connection endpoint: 
GET https://YOUR_DOMAIN/api/v2/connections/YOUR_CONNECTION_ID
If upstream_params.offline_access is set to true, or the connection is configured for Token Vault, you must disable Token Vault before enabling DPoP.

Reject proof validation

Review the following troubleshooting techniques if you find authentication failures related to DPoP proof validation.

Nonce requirement

Some IdP’s require a nonce in the DPoP proof. Auth0 handles nonce requirements automatically, but network issues can prevent nonce exchange. Review Auth0 logs for the following error: 
{
  "type": "f",
  "description": "Failed Login",
  "details": {
    "error": "use_dpop_nonce"
  }
}
This error indicates a transient issue. Ask the user to retry authentication. If the issue persists, check network connectivity between Auth0 and the identity provider.

IdP token binding

If user authentication succeeds, but Auth0 logs show dpop_returned_from_upstream: false, then your IdP might not bind tokens with DPoP even when Auth0 sends DPoP proofs. This may occur when:
  • The requested resource does not support DPoP.
  • The IdP’s policy does not allow DPoP for specific scenarios.
  • The IdP encountered an error processing the DPoP proof.
Start troubleshooting by checking the IdP’s response. If token_type is Bearer instead of DPoP as shown in the example, the IdP issued a standard bearer token. Example 
{
  "access_token": "eyJ...",
  "token_type": "Bearer"
}