Enable PAR/DPoP and Client Auth Methods
Environment flags (verified in code)
MS_BFF_PAR_ENABLED: enable Pushed Authorization Requests in the auth flow (ms_bff_spike/ms_bff/src/routes/auth_stub.py).MS_BFF_DPOP_ENABLED: toggle DPoP proof/validation (auth_stub.py; server‑side validation middleware insrc/main.py).MS_BFF_TOKEN_AUTH_METHOD:client_secret_basicorprivate_key_jwtfor token endpoint auth (src/services/idp_client.py).- Related IdP/OAuth settings live in
../reference/settings-reference.md#authentication-and-oauthidp.
FAQ (client auth & JWKS)
- What JWKS URL should IdP use for the BFF client?
https://<your-bff-host>/.well-known/jwks.json. Point the client’sjwks_urithere when usingprivate_key_jwt.
- Do I need to re-run DCR for key rotation?
- No. Rotate keys in the BFF and keep both old and new keys in JWKS during a grace window; the IdP will fetch via
jwks_uri.
- No. Rotate keys in the BFF and keep both old and new keys in JWKS during a grace window; the IdP will fetch via
mTLS (enterprise OAuth)
- The enterprise OAuth client supports mTLS; when enabled with cert/key, the IdP client passes the certificate to httpx and marks token binding as
mtls.
Validation
- Check metrics for
par_requests_totaland DPoP validation counters; confirm token exchange works with the chosen auth method.