DPoP Configuration Reference
This guide provides comprehensive documentation for all DPoP configuration options in the Auth0 ASP.NET Core API Authentication library.
Table of Contents
- Basic Configuration
- DPoPOptions Properties
- DPoP Modes
- Token Validation Parameters
- Advanced Scenarios
- Best Practices
Basic Configuration
Minimal Configuration
Enable DPoP with default settings:
builder.Services.AddAuth0ApiAuthentication(options =>
{
options.Domain = builder.Configuration["Auth0:Domain"];
options.JwtBearerOptions = new JwtBearerOptions()
{
Audience = builder.Configuration["Auth0:Audience"]
};
}).WithDPoP();
Configuration with Options
Customize DPoP behavior:
builder.Services.AddAuth0ApiAuthentication(options =>
{
options.Domain = builder.Configuration["Auth0:Domain"];
options.JwtBearerOptions = new JwtBearerOptions()
{
Audience = builder.Configuration["Auth0:Audience"]
};
}).WithDPoP(options =>
{
options.Mode = DPoPModes.Required;
options.IatOffset = 300;
options.Leeway = 30;
});
DPoPOptions Properties
Mode
Type: DPoPModes
Default: DPoPModes.Allowed
Specifies the DPoP enforcement mode.
options.Mode = DPoPModes.Allowed; // Accept both DPoP and Bearer
options.Mode = DPoPModes.Required; // Only DPoP tokens
options.Mode = DPoPModes.Disabled; // No DPoP validation
Permitted Values:
| Mode | Description | Use Case |
|---|---|---|
Allowed |
DPoP validated when present; Bearer tokens also accepted | Migration, mixed environments |
Required |
Only DPoP tokens accepted; Bearer tokens rejected | Maximum security |
Disabled |
No DPoP validation; standard JWT Bearer only | Temporary disable, troubleshooting |
IatOffset
Type: int (seconds)
Default: 300 (5 minutes)
Minimum: 0
Maximum allowed age of the DPoP proof token based on the iat (issued at) claim.
options.IatOffset = 300; // Allow proofs up to 5 minutes old
Example Scenarios:
// Strict security - short window
options.IatOffset = 60; // 1 minute
// Balanced - recommended for most APIs
options.IatOffset = 300; // 5 minutes
// Lenient - high-latency networks
options.IatOffset = 600; // 10 minutes
Leeway
Type: int (seconds)
Default: 30
Minimum: 0
Clock skew tolerance for time-based validations.
options.Leeway = 30; // 30 seconds tolerance
Example Scenarios:
// Tight synchronization
options.Leeway = 10; // 10 seconds
// Standard tolerance
options.Leeway = 30; // 30 seconds
// Distributed systems with known clock drift
options.Leeway = 60; // 1 minute
DPoP Modes
Allowed Mode (Default)
.WithDPoP(options => options.Mode = DPoPModes.Allowed)
Behavior:
- ✅ Validates DPoP when
DPoPheader present - ✅ Accepts standard Bearer tokens
- 🔍 Checks
Authorizationheader scheme (DPoPorBearer)
Required Mode
.WithDPoP(options => options.Mode = DPoPModes.Required)
Behavior:
- ✅ Only accepts DPoP-bound tokens
- ❌ Rejects Bearer tokens even if valid
- ❌ Rejects requests without
DPoPheader
Disabled Mode
.WithDPoP(options => options.Mode = DPoPModes.Disabled)
Behavior:
- ✅ Standard JWT Bearer authentication only
- 🚫 Ignores
DPoPheader completely - 🚫 No DPoP validation performed
Configuration Reference Table
| Property | Type | Default | Min | Max | Purpose |
|---|---|---|---|---|---|
Mode |
DPoPModes |
Allowed |
- | - | Enforcement mode |
IatOffset |
int |
300 | 0 | ∞ | Max proof age (seconds) |
Leeway |
int |
30 | 0 | ∞ | Clock skew tolerance (seconds) |
Next Steps
- DPoP Overview - Understanding DPoP concepts
- Getting Started with DPoP - Quick start guide
- API Reference - Full API documentation