OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens


OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens providesOAuth Client authentication and certificate bound access tokens using Mutual TLS Transport Layer Security (TLS) authentication with X.509 certificates.

OAuth clients are provided a mechanism for authentication to the authorization sever using Mutual TLS, based on either Self-signed Certificate or Public Key Infrastructure (PKI). OAuth Authorization Servers are provided a mechanism for binding Access Tokens to a client's mutual TLS certificate, and OAuth protected resources are provided a method for ensuring that such an Access Token presented to it was issued to the client presenting the token. OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens is an extension of OAuth 2.0, (Section 2.3 RFC 6749), and provides two distinct methods of using mutual TLS X.509 client certificates as OAuth Client credentials. The requirement of mutual TLS is determined by the Authorization Server based on policy or configuration for the given OAuth Client (regardless of whether the OAuth Client was dynamically registered or statically configured or otherwise established).

In order to utilize TLS for OAuth Client authentication, the TLS connection between the client and the authorization server MUST have been established or reestablished with mutual TLS X.509 certificate authentication (i.e. the Client Send Certificate and Certificate Verify messages are sent during the TLS Handshake RFC 5246).

For all requests to the Authorization Server utilizing mutual TLS client authentication, the client MUST include the client_id parameter, described in OAuth 2.0, Section 2.2 RFC 6749. The presence of the client_id parameter enables the Authorization Server to easily identify the OAuth Client independently from the content of the certificate. The Authorization Server can locate the OAuth Client configuration using the Client_id and check the certificate presented in the TLS Handshake against the expected credentials for that OAuth Client. The Authorization Server MUST enforce some method of binding a certificate to a client. Sections Section 2.1 and Section 2.2 define two ways of binding a certificate to a client as two distinct client Authentication Methods.

More Information#

There might be more information for this subject on one of the following: