<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] provides[OAuth Client] [authentication] and [certificate] bound [access tokens] using [Mutual TLS] [Transport Layer Security] ([TLS])  [authentication] with [X.509] [certificates].  


OAuth clients are provided a mechanism for [authentication] to the authorization sever using [Mutual TLS], based on either [Self-signed Certificate] or [Public Key Infrastructure] ([PKI]).  OAuth [Authorization Servers] are provided a  mechanism for binding [Access Tokens] to a client's [mutual TLS]  [certificate], and OAuth protected resources are provided a method for ensuring that such an [Access Token] presented to it was issued to the client presenting the token.
   
[{$pagename}] is an extension of [OAuth 2.0], (Section 2.3 [RFC 6749]), and provides two distinct methods of using [mutual TLS] [X.509] client [certificates] as [OAuth Client] [credentials].  The requirement of [mutual TLS] is determined by the [Authorization Server] based on [policy] or configuration for the given [OAuth Client] (regardless of whether the [OAuth Client] was [dynamically registered|OAuth 2.0 Dynamic Client Registration Protocol] or statically configured or otherwise established).

In order to utilize [TLS] for [OAuth Client] [authentication], the [TLS] connection between the client and the authorization server [MUST] have been established or reestablished with [mutual TLS] [X.509] [certificate] [authentication] (i.e. the [Client Send Certificate] and [Certificate Verify] messages are sent during the [TLS Handshake] [RFC 5246]).

For all [requests] to the [Authorization Server] utilizing mutual [TLS] client authentication, the client [MUST] include the [client_id] parameter, described in [OAuth 2.0], Section 2.2 [RFC 6749].  The presence of the [client_id] parameter enables the [Authorization Server] to easily identify the [OAuth Client] independently from the content of the [certificate].  The [Authorization Server] can locate the [OAuth Client] configuration using the [Client_id] and check the [certificate] presented in the [TLS Handshake] against the expected [credentials] for that [OAuth Client].  The [Authorization Server] [MUST] enforce some method of binding a [certificate] to a client.  Sections Section 2.1 and Section 2.2 define two ways of binding a [certificate] to a client as two distinct client [Authentication Methods].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>