Overview#Mutual TLS for OAuth Client Authentication defined in Mutual TLS Profiles for OAuth Clients and defines Authentication Methods
Mutual TLS for OAuth Client Authentication is an extension of OAuth 2.0, (Section 2.3 RFC 6749), and provides two distinct methods of using mutual TLS X.509 client certificates as client credentials. The requirement of Mutual TLS for OAuth Client Authentication is determined by the Authorization Server based on policy or configuration for the given client (regardless of whether the client was dynamically registered or statically configured or otherwise established).
In order to utilize Mutual TLS for OAuth Client Authentication, the TLS connection between the OAuth Client and the Authorization Server MUST have been established or reestablished with Mutual X.509 certificate-based Authentication (i.e. the Client Digital certificate request and CertificateVerify messages are sent during the TLS Handshake RFC 5246).
For all requests to the Authorization Server utilizing mutual TLS client authentication, the client MUST include the client_id parameter, described in OAuth 2.0, Section 2.2 RFC 6749. The presence of the client_id parameter enables the Authorization Server to easily identify the client independently from the content of the certificate. The Authorization Server can locate the client configuration using the Client_id and check the certificate presented in the TLS Handshake against the expected credentials for that client. The Authorization Server MUST enforce some method of binding a certificate to a client. Sections Section 2.1 and Section 2.2 define two ways of binding a certificate to a client as two distinct client Authentication Methods.