Skip to content

feat: sender constraining requried for #584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cgcladeraokta wants to merge 1 commit into
base: main
Choose a base branch
from
+38 −6
Open

feat: sender constraining requried for #584

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added main/docs/images/sender-constraining/method_is_dpop.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
44 changes: 38 additions & 6 deletions main/docs/secure/sender-constraining/configure-sender-constraining.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,13 @@ To configure sender constraining in Auth0, you must:

1. `none`: You have not configured sender constraining for the resource server.
2. `allowed`: You have configured sender constraining for the resource server by setting a sender constraining method.
3. `required`: You have configured sender constraining as required for the resource server, meaning that access tokens must be sender-constrained to an application. Requires a sender constraining method.
3. `required`: You have configured sender constraining as required for the resource server, meaning that access tokens must be sender-constrained to an application. You can require sender constraining for confidential applications only, public applications only, or all applications. Requires a sender constraining method.

<Callout icon="lightbulb" color="#0EA5E9" iconType="regular">

When using mTLS as the sender constraining method, you can only require sender constraining for confidential applications. Public applications are not supported with mTLS.

</Callout>

* **Proof-of-Possession:** Whether the client application sent a proof-of-possession assertion in the token request:

Expand Down Expand Up @@ -176,9 +182,14 @@ To enable Token Binding or sender constraining, configure the **API Settings** o
2. **mTLS**: Enable mTLS as the sender constraining method for your resource server.
3. **DPoP:** Enable DPoP as the sender constraining method for your resource server.

B. Toggle on **Require Token Sender Constraining**. All access tokens issued to an application for this API will be constrained to that application.
2. Require Token Sender Constraining: Select which application types require sender constraining for this API:

1. **Confidential Clients:** Require sender constraining for confidential applications.
2. **Public Clients:** Require sender constraining for public applications. This option is not available when using mTLS.

<Frame>![Auth0 Dashboard > APIs > Settings > Token binding](/docs/images/cdy7uua7fh8z/3Dv98iZosdpJMcZXfXyurn/823fa368ab874218fbb737aacac9b262/Screenshot_2025-07-28_at_3.59.01_PM.png)</Frame>
Select both options to require sender constraining for all applications. Leave both options unselected if sender constraining is not required.

<Frame>![Auth0 Dashboard > APIs > Settings > Token binding](/docs/images/sender-constraining/method_is_dpop.png)</Frame>

</Tab><Tab title="Management API">

Expand All @@ -197,12 +208,16 @@ To enable Sender Constraining with the Management API, send a PATCH request to [
</tr>
<tr>
<td><code>required</code></td>
<td>When set to <code>true</code>, all access tokens issued to an application for this API will be constrained to that application. When set to <code>false</code>, sender constraining is not required for the application.</td>
<td><strong>Deprecated.</strong> Use <code>required_for</code> instead. When set to <code>true</code>, all access tokens issued to an application for this API will be constrained to that application. When set to <code>false</code>, sender constraining is not required for the application.</td>
</tr>
<tr>
<td><code>required_for</code></td>
<td>Specifies which application types require sender constraining: <code>all_clients</code> (all applications), <code>confidential_clients</code> (confidential applications only), or <code>public_clients</code> (public applications only). Can also be set to <code>null</code>, which defaults to <code>all_clients</code> when <code>required</code> is <code>true</code>. When using mTLS, only <code>confidential_clients</code> is a valid option.</td>
</tr>
</tbody>
</table>

The following code sample is an example request body that configures a resource server for mTLS Sender Constraining:
The following code sample is an example request body that configures a resource server for mTLS Sender Constraining, required for confidential applications:

```bash lines
curl -L -X PATCH 'https://{YOUR_DOMAIN}/api/v2/resource-servers/{YOUR_RESOURCE_SERVER_ID}' \
Expand All @@ -212,7 +227,24 @@ curl -L -X PATCH 'https://{YOUR_DOMAIN}/api/v2/resource-servers/{YOUR_RESOURCE_S
-d '{
"proof_of_possession": {
"mechanism": "mtls",
"required": true
"required": true,
"required_for": "confidential_clients"
}
}'
```

The following code sample is an example request body that configures a resource server for DPoP Sender Constraining, required for all applications:

```bash lines
curl -L -X PATCH 'https://{YOUR_DOMAIN}/api/v2/resource-servers/{YOUR_RESOURCE_SERVER_ID}' \
-H 'Authorization: Bearer {YOUR_MANAGEMENT_API_TOKEN}' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d '{
"proof_of_possession": {
"mechanism": "dpop",
"required": true,
"required_for": "all_clients"
}
}'
```
Expand Down
Loading