Overview#Mutual TLS Profiles for OAuth Clients describes Transport Layer Security (TLS) Mutual Authentication using X.509 certificates as a mechanism for both OAuth Client authentication to the token_endpoint as well as for sender constrained access to OAuth protected resources.
The OAuth 2.0 Authorization Framework RFC 6749 defines a Shared Secret method of OAuth Clientauthentication but also allows for the definition and use of additional client authentication mechanisms when interacting with the Authorization Server's token endpoint.
Mutual TLS Profiles for OAuth Clients describes an additional mechanism of client authentication utilizing mutual TLS RFC 5246 certificate-based authentication, which provides better security characteristics than Shared Secrets.
Mutual TLS sender constrained access to protected resources ensures that only the party in possession of the Private Key corresponding to the certificate can utilize the Access Token to get access to the associated resources. Such a constraint is unlike the case of the basic Bearer Token described in RFC 6750, where any party in possession of the Access Token can use it to access the associated resources. Mutual TLS sender constrained access prevents the use of stolen Access Tokens by binding the Access Token to the client's certificate.
More Information#There might be more information for this subject on one of the following:
- [#1] - Mutual TLS Profiles for OAuth Clientsdraft-campbell-oauth-mtls-01 - based on information obtained 2017-04-10-