[Openid-specs-mobile-profile] Issue #72: CIBA's OAuth MTLS reference fix/update (openid/mobile)

Brian Campbell issues-reply at bitbucket.org
Thu Jul 12 18:31:14 UTC 2018

New issue 72: CIBA's OAuth MTLS reference fix/update

Brian Campbell:

Sec 4 of the latest CIBA draft from source on Polling and Pairwise Identifiers says that "it is MANDATORY for the Client to authenticate the token endpoint using one of this two mechanisms" and then cites "Mutual TLS as defined in section 3 Mutual TLS Sender Constrained Resources Access of the [I-D.ietf-oauth-mtls]" as one of the mechanisms. However, section 3 of the OAuth MTLS draft isn't about client authentication so pointing to it in that context doesn't really make sense.

Mutual TLS for OAuth Client Authentication is defined in section 2 of that document and more specifically the Self-Signed Certificate Mutual TLS OAuth Client Authentication Method is defined in sec 2.2 and is probably the more appropriate reference here because it (potentially) makes use of the client's jwks_uri.
Also just noticed that the "this" should be "these" in that first sentence quoted.

I-D.ietf-oauth-mtls is at draft -09 now (rather than -07) and hopefully a real RFC soon (by IETF time anyway).  


More information about the Openid-specs-mobile-profile mailing list