Overview#Mutual TLS Profiles for OAuth Clients describes Transport Layer Security (TLS) Mutual Authentication using X.509 certificates as a mechanism for both OAuth Client authentication to the token_endpoint as well as for sender constrained access to OAuth 2.0 Protected Resources.
The OAuth 2.0 Authorization Framework RFC 6749 defines a Shared Secret method of OAuth Clientauthentication but also allows for the definition and use of additional client authentication mechanisms when interacting with the Authorization Server's token_endpoint.mutual Authentication TLS RFC 5246 certificate-based authentication, which provides a higher Level Of Assurance and better security characteristics than Shared Secrets. Mutual TLS sender constrained access to Protected Resources ensures that only the party in possession of the Private Key corresponding to the certificate can utilize the Access Token to get access to the associated Protected Resources. Such a constraint is unlike the case of the basic Bearer Token described in RFC 6750, where any party in possession of the Access Token can use it to access the associated resources. Mutual TLS sender constrained access prevents the use of stolen Access Tokens by binding the Access Token to the client's certificate.
More Information#There might be more information for this subject on one of the following:
- Best Practices OpenID Connect
- Mutual TLS Sender Constrained Resources Access
- Mutual TLS for OAuth Client Authentication
- Web Blog_blogentry_100417_1
- Web Blog_blogentry_150617_1
- [#1] - Mutual TLS Profiles for OAuth Clients draft-ietf-oauth-mtls-04 - based on information obtained 2017-07-29