You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> This feature is currently available in [Early Access](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#early-access). Please reach out to Auth0 support to get it enabled for your tenant.
217
+
218
+
[DPoP](https://www.rfc-editor.org/rfc/rfc9449.html) (Demonstrating Proof of Possession) is an application-level mechanism for sender-constraining OAuth 2.0 access and refresh tokens by proving that the app is in possession of a certain private key. You can enable it by calling the `useDPoP()` method.
> DPoP will only be used for new user sessions created after enabling it. DPoP **will not** be applied to any requests involving existing access and refresh tokens (such as exchanging the refresh token for new credentials).
236
+
>
237
+
> This means that, after you've enabled it in your app, DPoP will only take effect when users log in again. It's up to you to decide how to roll out this change to your users. For example, you might require users to log in again the next time they open your app. You'll need to implement the logic to handle this transition based on your app's requirements.
238
+
239
+
When making requests to your own APIs, use the `DPoP.getHeaderData()` method to get the `Authorization` and `DPoP` header values to be used. The `Authorization` header value is generated using the access token and token type, while the `DPoP` header value is the generated DPoP proof.
If your API is issuing DPoP nonces to prevent replay attacks, you can pass the nonce value to the `getHeaderData()` method to include it in the DPoP proof. Use the `DPoP.isNonceRequiredError(response: Response)` method to check if a particular API response failed because a nonce is required.
256
+
257
+
```kotlin
258
+
if (DPoP.isNonceRequiredError(response)) {
259
+
val nonce = response.headers["DPoP-Nonce"]
260
+
val dpopProof =DPoPProvider.generateProof(
261
+
url, httpMethod, accessToken, nonce
262
+
)
263
+
// Retry the request with the new proof
264
+
}
265
+
```
266
+
267
+
On logout, you should call `DPoP.clearKeyPair()` to delete the user's key pair from the Keychain.
> DPoP is supported only on Android version 6.0 (API level 23) and above. Trying to use DPoP in any older versions will result in an exception.
282
+
211
283
## Authentication API
212
284
213
285
The client provides methods to authenticate the user against the Auth0 server.
@@ -651,6 +723,62 @@ authentication
651
723
```
652
724
</details>
653
725
726
+
## DPoP [EA]
727
+
728
+
> [!NOTE]
729
+
> This feature is currently available in [Early Access](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#early-access). Please reach out to Auth0 support to get it enabled for your tenant.
730
+
731
+
[DPoP](https://www.rfc-editor.org/rfc/rfc9449.html) (Demonstrating Proof of Posession) is an application-level mechanism for sender-constraining OAuth 2.0 access and refresh tokens by proving that the app is in possession of a certain private key. You can enable it by calling the `useDPoP()` method. This ensures that DPoP proofs are generated for requests made through the AuthenticationAPI client.
732
+
733
+
```kotlin
734
+
val client =AuthenticationAPIClient(account).useDPoP()
735
+
```
736
+
737
+
[!IMPORTANT]
738
+
> DPoP will only be used for new user sessions created after enabling it. DPoP **will not** be applied to any requests involving existing access and refresh tokens (such as exchanging the refresh token for new credentials).
739
+
>
740
+
> This means that, after you've enabled it in your app, DPoP will only take effect when users log in again. It's up to you to decide how to roll out this change to your users. For example, you might require users to log in again the next time they open your app. You'll need to implement the logic to handle this transition based on your app's requirements.
741
+
742
+
When making requests to your own APIs, use the `DPoP.getHeaderData()` method to get the `Authorization` and `DPoP` header values to be used. The `Authorization` header value is generated using the access token and token type, while the `DPoP` header value is the generated DPoP proof.
If your API is issuing DPoP nonces to prevent replay attacks, you can pass the nonce value to the `getHeaderData()` method to include it in the DPoP proof. Use the `DPoP.isNonceRequiredError(response: Response)` method to check if a particular API response failed because a nonce is required.
759
+
760
+
```kotlin
761
+
if (DPoP.isNonceRequiredError(response)) {
762
+
val nonce = response.headers["DPoP-Nonce"]
763
+
val dpopProof =DPoPProvider.generateProof(
764
+
url, httpMethod, accessToken, nonce
765
+
)
766
+
// Retry the request with the new proof
767
+
}
768
+
```
769
+
770
+
On logout, you should call `DPoP.clearKeyPair()` to delete the user's key pair from the Keychain.
771
+
772
+
```kotlin
773
+
774
+
DPoP.clearKeyPair()
775
+
776
+
```
777
+
778
+
> [!NOTE]
779
+
> DPoP is supported only on Android version 6.0 (API level 23) and above. Trying to use DPoP in any older versions will result in an exception.
0 commit comments