This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens

Version management

Difference between version and

At line 1 added 15 lines
!!! Overview
[{$pagename}] provides[OAuth Client] [authentication] and [certificate] bound [access tokens] using [Mutual TLS] [Transport Layer Security] ([TLS]) [authentication] with [X.509] [certificates].
OAuth clients are provided a mechanism for [authentication] to the authorization sever using [Mutual TLS], based on either [Self-signed Certificate] or [Public Key Infrastructure] ([PKI]). OAuth [Authorization Servers] are provided a mechanism for binding [Access Tokens] to a client's [mutual TLS] [certificate], and OAuth protected resources are provided a method for ensuring that such an [Access Token] presented to it was issued to the client presenting the token.
[{$pagename}] is an extension of [OAuth 2.0], (Section 2.3 [RFC 6749]), and provides two distinct methods of using [mutual TLS] [X.509] client [certificates] as [OAuth Client] [credentials]. The requirement of [mutual TLS] is determined by the [Authorization Server] based on [policy] or configuration for the given [OAuth Client] (regardless of whether the [OAuth Client] was [dynamically registered|OAuth 2.0 Dynamic Client Registration Protocol] or statically configured or otherwise established).
In order to utilize [TLS] for [OAuth Client] [authentication], the [TLS] connection between the client and the authorization server [MUST] have been established or reestablished with [mutual TLS] [X.509] [certificate] [authentication] (i.e. the [Client Send Certificate] and [Certificate Verify] messages are sent during the [TLS Handshake] [RFC 5246]).
For all [requests] to the [Authorization Server] utilizing mutual [TLS] client authentication, the client [MUST] include the [client_id] parameter, described in [OAuth 2.0], Section 2.2 [RFC 6749]. The presence of the [client_id] parameter enables the [Authorization Server] to easily identify the [OAuth Client] independently from the content of the [certificate]. The [Authorization Server] can locate the [OAuth Client] configuration using the [Client_id] and check the [certificate] presented in the [TLS Handshake] against the expected [credentials] for that [OAuth Client]. The [Authorization Server] [MUST] enforce some method of binding a [certificate] to a client. Sections Section 2.1 and Section 2.2 define two ways of binding a [certificate] to a client as two distinct client [Authentication Methods].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop