Support for sender constraint mechanisms such as mTLS and DPoP

lihua.zhang · May 10, 2023, 10:15pm

Problem statement

What are the DPoP and mTLS protocols? Are there any plans for Auth0 to support them?

Solution

Demonstrating Proof of Possession (DPoP)

DPoP is defined in RFC9449: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)

It is intended to provide " … a mechanism or sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens".

This is important because it provides a mechanism to cryptographically bind access tokens to a particular client at the time when those tokens are issued. It would require that the application that wishes to use the access token to also prove possession of the same private key that was used to obtain the token. Due to this important property, it forms an important part of the evolving OAuth 2.0 specification.

In terms of practical security benefits, Auth0 would like customers to move away from solutions/flows that rely on 3rd party cookies, like Implicit flow for SPA.

A more secure approach would be authcode+pkce instead, in combination with rotating refresh tokens. In future, DPoP will play in important role in terms of enhancing the security of these types of SPA scenarios.

Availability of DPoP

DPoP is on the Auth0 product roadmap. At the time of this writing (November 2023), it is scheduled for release in 2024, though there is no definite ETA at this moment.

It is recommended that customers register their interest in DPoP by submitting a feature request via the Customer Feedback page.

Mutual Transport Layer Security (MTLS)

MTLS is defined in RFC 8705: Mutual TLS Client Authentication and Certificate-Bound Access Tokens.

It is intended to enable: " … OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client’s mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token."

This will provide means for extending OAuth, through the mechanism of binding access tokens to a client certificate.

Availability of MTLS

At the time of this writing (November 2023), MTLS is on the Auth0 product roadmap and is scheduled for GA release in Q1 of 2024.

It is intended to be a key part of the Highly Regulated Identity offering, which will be available via purchase of the Advance Identity Security SKU,
In the initial release, this will only be for Enterprise customers. Note that this feature will have to be purchased as an Add-on.

Topic		Replies	Views
OAuth Mutual TLS [RFC8705] or DPoP support Help	1	1410	December 12, 2022
OAuth 2.0 Mutual TLS Client Authentication Help	3	6372	April 1, 2020
Client Credentials and vulnerabilities Help client-credentials-g	3	4787	March 2, 2018
Setting to require Proof Key for Code Exchange for OAuth Public Clients Feedback	1	740	August 23, 2023
OAuth2 Implicit Grant and SPA Blog Discussions spa , implicit-grant , grant , oauth2	22	8757	March 2, 2022