[Openid-specs-mobile-profile] CIBA's OAuth MTLS reference
bcampbell at pingidentity.com
Mon Jul 9 22:44:18 UTC 2018
Sec 4 of the latest CIBA draft from source
on Polling and Pairwise Identifiers says that "it is MANDATORY for the
Client to authenticate the token endpoint using one of this two mechanisms"
and then cites "Mutual TLS as defined in section 3 Mutual TLS Sender
Constrained Resources Access
<https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-3> of the
as one of the mechanisms. However, section 3 of the OAuth MTLS draft isn't
about client authentication so pointing to it in that context doesn't
really make sense.
Mutual TLS for OAuth Client Authentication is defined in section 2 of that
and more specifically the Self-Signed Certificate Mutual TLS OAuth Client
Authentication Method is defined in sec 2.2
<https://tools.ietf.org/html/draft-ietf-oauth-mtls-09#section-2.2> and is
probably the more appropriate reference here because it (potentially) makes
use of the client's jwks_uri.
Also just noticed that the "this" should be "these" in that first sentence
I-D.ietf-oauth-mtls is at draft -09 now (rather than -07) and hopefully a
real RFC soon (by IETF time anyway).
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile