auth0-dpop
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAuth0 DPoP Guide
Auth0 DPoP 指南
Bind access tokens to the client's cryptographic key so stolen tokens cannot be replayed.
将访问令牌绑定到客户端的加密密钥,使被盗令牌无法被重放。
Overview
概述
What is DPoP?
什么是DPoP?
DPoP (Demonstrating Proof-of-Possession) is an OAuth 2.0 mechanism defined in
RFC 9449 that cryptographically
binds access tokens to a client-held key pair. Each API request includes a
short-lived signed JWT (the DPoP proof) that proves the sender holds the private
key — a stolen token alone cannot be replayed by an attacker.
DPoP(Demonstrating Proof-of-Possession,持有证明)是OAuth 2.0的一种机制,定义在
RFC 9449中,它通过加密方式将访问令牌与客户端持有的密钥对绑定。每个API请求都包含一个短期签名的JWT(即DPoP证明),用于证明发送方持有私钥——仅被盗取的令牌无法被攻击者重放。
When to Use This Skill
何时使用此技能
- Protecting high-value API calls against token theft and replay attacks
- Meeting security or compliance requirements that mandate sender-constrained tokens
- Any SPA or Vanilla JS app calling a protected Auth0 API with elevated security needs
- 保护高价值API调用免受令牌被盗和重放攻击
- 满足要求使用受发送方限制令牌的安全或合规需求
- 任何调用受保护Auth0 API且有较高安全需求的SPA或Vanilla JS应用
When NOT to Use This Skill
何时不使用此技能
- SSR / server-side environments — DPoP relies on a private key held in the browser; it cannot be safely used server-side (Next.js, Nuxt, etc.)
- APIs that don't support DPoP — the resource server must be configured to accept DPoP token dialect; Bearer-only APIs will reject DPoP proofs
- Flows requiring token sharing — DPoP tokens are bound to a single key pair and cannot be forwarded to or reused by another client
- SSR / 服务器端环境 —— DPoP依赖于浏览器中存储的私钥,无法在服务器端安全使用(如Next.js、Nuxt等)
- 不支持DPoP的API —— 资源服务器必须配置为接受DPoP令牌格式;仅支持Bearer令牌的API会拒绝DPoP证明
- 需要共享令牌的流程 —— DPoP令牌绑定到单个密钥对,无法转发给其他客户端或被其复用
Requirements
要求
- Auth0 tenant with DPoP-capable authorization server
- API resource server with DPoP token dialect enabled
- A browser SPA using one of: ,
@auth0/auth0-vue,@auth0/auth0-react, or@auth0/auth0-angular@auth0/auth0-spa-js - HTTPS in production (required by Auth0 for DPoP)
- 具备DPoP能力的Auth0租户授权服务器
- 已启用DPoP令牌格式的API资源服务器
- 使用以下任一库的浏览器SPA:、
@auth0/auth0-vue、@auth0/auth0-react或@auth0/auth0-angular@auth0/auth0-spa-js - 生产环境中使用HTTPS(Auth0对DPoP有此要求)
Key Concepts
核心概念
| Concept | Description |
|---|---|
| DPoP Proof | A short-lived signed JWT attached to each request proving key possession |
| DPoP Nonce | A server-issued value that must be included in the proof to prevent replay |
| SDK option that enables automatic DPoP proof generation |
| SDK helper that returns a |
| Error thrown when the server rotates its nonce mid-flight; retry with the new nonce |
| 概念 | 描述 |
|---|---|
| DPoP Proof | 附加在每个请求上的短期签名JWT,用于证明密钥持有 |
| DPoP Nonce | 服务器颁发的值,必须包含在证明中以防止重放 |
| 启用自动生成DPoP证明的SDK选项 |
| SDK辅助函数,返回一个兼容 |
| 当服务器中途轮换nonce时抛出的错误;需使用新nonce重试 |
Step 1: Enable DPoP on Your API
步骤1:在你的API上启用DPoP
Via Auth0 Dashboard
通过Auth0控制台
- Go to Applications → APIs
- Select the API your SPA calls
- Under the Settings tab, confirm the API identifier matches your
audience - No additional toggle is needed in the dashboard — DPoP is enabled per-request by the client when the API resource server is configured to accept DPoP tokens
- 前往Applications → APIs
- 选择你的SPA调用的API
- 在Settings标签页下,确认API标识符与你的匹配
audience - 控制台中无需额外开关——当API资源服务器配置为接受DPoP令牌时,客户端可在请求中启用DPoP
Via Auth0 CLI
通过Auth0 CLI
bash
undefinedbash
undefinedInspect current resource server settings
检查当前资源服务器设置
auth0 api get "resource-servers" | jq '.[] | select(.identifier == "https://your-api-identifier")'
auth0 api get "resource-servers" | jq '.[] | select(.identifier == "https://your-api-identifier")'
Enable DPoP token dialect on the API
在API上启用DPoP令牌格式
auth0 api patch "resource-servers/{API_ID}"
--data '{"token_dialect": "access_token_authz"}'
--data '{"token_dialect": "access_token_authz"}'
> Replace `{API_ID}` with the ID returned from the GET call above.
---auth0 api patch "resource-servers/{API_ID}"
--data '{"token_dialect": "access_token_authz"}'
--data '{"token_dialect": "access_token_authz"}'
> 替换`{API_ID}`为上述GET请求返回的ID。
---Step 2: Configure Your Application
步骤2:配置你的应用
Common pattern across all frameworks
所有框架通用模式
- Add to your Auth0 client/provider configuration alongside your
useDpop: trueaudience - Use instead of attaching tokens manually — the SDK handles proof generation, nonce management, and header injection for you
createFetcher() - Handle in cases where the server rotates its nonce
UseDpopNonceError
- 在Auth0客户端/提供者配置中添加,与
useDpop: true一同配置audience - 使用替代手动附加令牌——SDK会自动处理证明生成、nonce管理和头部注入
createFetcher() - 在服务器轮换nonce的情况下处理
UseDpopNonceError
Environment variables
环境变量
Ensure your includes the API audience:
.envbash
undefined确保你的文件包含API audience:
.envbash
undefinedVite
Vite
VITE_AUTH0_DOMAIN=your-tenant.auth0.com
VITE_AUTH0_CLIENT_ID=your-client-id
VITE_AUTH0_AUDIENCE=https://your-api-identifier
---VITE_AUTH0_DOMAIN=your-tenant.auth0.com
VITE_AUTH0_CLIENT_ID=your-client-id
VITE_AUTH0_AUDIENCE=https://your-api-identifier
---Additional Resources
额外资源
Framework Examples
框架示例
Complete implementation examples for all supported frameworks:
- Vue.js
- React
- Angular
- auth0-spa-js (Vanilla JS)
所有支持框架的完整实现示例:
- Vue.js
- React
- Angular
- auth0-spa-js(Vanilla JS)
Integration Guide
集成指南
Error handling and troubleshooting:
- — nonce rotation handling
UseDpopNonceError - Common issues
错误处理与故障排除:
- ——nonce轮换处理
UseDpopNonceError - 常见问题
Related Skills
相关技能
- - Vue.js Auth0 integration
auth0-vue - - React Auth0 integration
auth0-react - - Angular Auth0 integration
auth0-angular - - Vanilla JS / framework-agnostic SPA integration
auth0-spa-js - - Multi-factor authentication
auth0-mfa
- - Vue.js Auth0集成
auth0-vue - - React Auth0集成
auth0-react - - Angular Auth0集成
auth0-angular - - Vanilla JS/无框架依赖SPA集成
auth0-spa-js - - 多因素认证
auth0-mfa