[Openid-specs-fapi] Issue #744: Allow OAuth 2.0 Attestation-Based Client Authentication (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Tue May 27 18:52:32 UTC 2025
New issue 744: Allow OAuth 2.0 Attestation-Based Client Authentication
https://bitbucket.org/openid/fapi/issues/744/allow-oauth-20-attestation-based-client
Joseph Heenan:
FAPI2 currently only allows private\_key\_jwt and mtls client authentication, both of which are kind of awkward for mobile clients to do.
This makes it difficult for OID4VCI to adopt FAPI \(see [https://github.com/openid/OpenID4VCI/issues/291#issuecomment-2862965297](https://github.com/openid/OpenID4VCI/issues/291#issuecomment-2862965297)\).
I wonder if we can allow the new IETF draft in the future \(in addition to private\_key\_jwt / MTLS client auth\) - I think it would be a non-breaking extension:
[https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/](https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/)
More information about the Openid-specs-fapi
mailing list