[Openid-specs-fapi] FAPI Security Profile 1.0 Parts 1 & 2 Final Preview #3
ejay at mgi1.com
Sat Feb 27 16:46:03 UTC 2021
I believe you may be talking about about 5.2.2 - 14
shall authenticate the confidential client using one of the following
methods (this overrides FAPI Security Profile 1.0 - Part 1: Baseline
1. tls_client_auth or self_signed_tls_client_auth as specified in
section 2 of MTLS <https://tools.ietf.org/html/rfc8705>, *OR*
2. private_key_jwt as specified in section 9 of OIDC
So it's an OR situation, you don't need to support both for client
authentication. But Part 2 does require MTLS for sender constrained access
tokens in 5.2.2 - 6
shall support MTLS <https://tools.ietf.org/html/rfc8705> as mechanism
for constraining the legitimate senders of access tokens;
Mutual-TLS certificate-bound access tokens and mutual-TLS client
authentication are distinct mechanisms that are complementary but
don't necessarily need to be deployed or used together
On Sat, Feb 27, 2021 at 8:07 AM Natalie Cuthbert <natalie at stitch.money>
> Hi Edmund,
> Haven't been following a huge amount of the preceding discussions, so
> forgive me if this is a question asked out of ignorance, but what is the
> motivation behind requiring both private_key_jwt AND mTLS in the advanced
> The latter in particular would be particularly hard to implement for us
> due to our reliance on Cloudflare proxy for some of our security needs.
> Other companies that rely on middleware for additional security would
> probably face similar challenges.
> On Sat, Feb 27, 2021 at 1:52 AM Edmund Jay via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>> Dear WG members,
>> Attached are the Final preview #4 version of the rendered HTML of the
>> Security Profile 1.0 Parts 1 and 2 with all issues resolved.
>> Your comments and feedback are much appreciated.
>> Thank you.
>> -- Edmund
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi