jspωiki
Mutual TLS Profiles for OAuth Clients

Overview#

Mutual TLS Profiles for OAuth Clients describes Transport Layer Security (TLS) Mutual Authentication using X.509 certificates as a mechanism for both OAuth Client authentication to the token_endpoint as well as for sender constrained access to OAuth 2.0 Protected Resources.

The OAuth 2.0 Authorization Framework RFC 6749 defines a Shared Secret method of OAuth Clientauthentication but also allows for the definition and use of additional client authentication mechanisms when interacting with the Authorization Server's token_endpoint.

Mutual TLS for OAuth Client Authentication#

Mutual TLS Profiles for OAuth Clients describes an additional mechanism of client utilizing mutual Authentication TLS RFC 5246 certificate-based authentication, which provides a higher Level Of Assurance and better security characteristics than Shared Secrets.

Mutual TLS Sender Constrained Resources Access #

Mutual TLS sender constrained access to Protected Resources ensures that only the party in possession of the Private Key corresponding to the certificate can utilize the Access Token to get access to the associated Protected Resources. Such a constraint is unlike the case of the basic Bearer Token described in RFC 6750, where any party in possession of the Access Token can use it to access the associated resources. Mutual TLS sender constrained access prevents the use of stolen Access Tokens by binding the Access Token to the client's certificate.

Mutual TLS for OAuth Client Authentication and Mutual TLS Sender Constrained Resources Access are distinct mechanisms that don't necessarily need to be deployed together.

More Information#

There might be more information for this subject on one of the following: