To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
compliance_level property that can be set to one of three values:
nullor undefined: No compliance level is required. This is the default.fapi1_adv_mtls_par: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using mTLS and PAR.fapi1_adv_pkj_par: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using Private Key JWT and PAR.fapi2_sp_pkj_mtls: The customer would like this client to behave in accordance with the FAPI 2.0 Security Profile using Private Key JWT and mTLS Token Sender-Constraining.fapi2_sp_mtls_mtls: The customer would like this client to behave in accordance with the FAPI 2.0 Security Profile using mTLS Client Authentication and mTLS Token Sender-Constraining.
compliance_level ensures that no authorization request can succeed unless the request and the configuration is compliant with the selected standard.
For example, both the fapi1_adv_pkj_par and fapi1_adv_mtls_par compliance levels require PAR. If either of these compliance levels are selected, PAR is required regardless of the value of the require_pushed_authorization_requests setting. Attempting an authorization without using PAR results in the following error response:
fapi1_adv_pkj_par and fapi1_adv_mtls_par compliance levels cause Auth0 to include a s_hash claim in the returned containing a SHA256 hash of the state value. This allows the ID tokens to act as a detached signature.
The following tables summarize the additional validation rules and changes to Auth0’s behavior that each compliance level enables:
Configure FAPI Compliance for a client
- Auth0 Dashboard
- Management API
To perform this using the Auth0 Dashboard:
- Navigate to Auth0 Dashboard > Applications.
- Select the application.
- Select the Application Settings tab.
- Open the Advanced Settings section.
- In the OAuth tab, select the FAPI Compliance Enforcement Level.
- None: No compliance level is required. This is the default.
- FAPI 1 Advanced profile using Private Key JWT and PAR: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using Private Key JWT and PAR.
- FAPI 1 Advanced profile using mTLS and PAR: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using mTLS and PAR.
- FAPI 2.0 Security Profile with Private Key JWT and certificate binding: The customer would like this client to behave in accordance with the FAPI2.0 Security Profile using Private Key JWT Client Authentication and mTLS Token Sender-Constraining.
- FAPI 2.0 Security Profile with mTLS and certificate binding: The customer would like this client to behave in accordance with the FAPI2.0 Security Profile using mTLS Client Authentication and mTLS Token Sender-Constraining.