[Openid-specs-ab] Issue #2088: [Federation] tls_client_auth as a request authentication method (openid/connect)

Takahiko Kawasaki issues-reply at bitbucket.org
Tue Nov 7 02:41:11 UTC 2023 

New issue 2088: [Federation] tls_client_auth as a request authentication method
https://bitbucket.org/openid/connect/issues/2088/federation-tls_client_auth-as-a-request

Takahiko Kawasaki:

[10.1.1.2.1. ](https://openid.net/specs/openid-federation-1_0.html#section-10.1.1.2.1)[Processing the Authentication Request](https://openid.net/specs/openid-federation-1_0.html#name-processing-the-authenticatio) of the OpenID Federation specifcation says as follows with regard to `tls_client_auth`:  

> tls\_client\_auth
>
> If mTLS is used and the certificate used was not self-signed, then the Subject Alternative Name of the certificate MUST match the Entity Identifier of the RP.

‌

This requirement consequently requires that the RP have the `tls_client_auth_san_uri` metadata whose value matches the entity identifier of the RP, and the client certificate is created so. Having the `tls_client_auth_san_uri` metadata excludes the other `tls_client_auth_` metadata such as `tls_client_auth_subject_dn`, `tls_client_auth_san_dns`, `tls_client_auth_san_ip` and `tls_client_auth_san_email`. \(cf. RFC 8705, [2.1.2. Client Registration Metadata](https://www.rfc-editor.org/rfc/rfc8705.html#section-2.1.2)\)  
  
This restriction can not coexist with some real-world ecosystems. For example, Open Finance in Brazil prohibits client metadata from including `tls_client_auth_san_*` in the context of Dynamic Client Registration \(unless the rule has not changed since I read their specification in the past\). \(cf. “[Implementer’s note about Open Banking Brasil](https://darutk.medium.com/implementers-note-about-open-banking-brasil-78d3d612dfaf)“\)  
  
I feel that it is better to remove the requirement “the Subject Alternative Name of the certificate MUST match the Entity Identifier of the RP” so that the RP can use any of `tls_client_auth_subject_dn` and `tls_client_auth_san_*` for the `tls_client_auth` client authentication method.

More information about the Openid-specs-ab mailing list