oauth2.dev

tls_client_auth_san_dns

IESG

Registry Context

A client registration metadata parameter that specifies the expected dNSName subject alternative name in the certificate used for mutual-TLS client authentication.

Technical Summary

RFC 8705 defines tls_client_auth_san_dns as a string containing the value of an expected dNSName SAN entry in the certificate used by an OAuth client for mutual-TLS authentication.

When Used

During OAuth 2.0 Dynamic Client Registration to convey the expected certificate subject for the PKI method of mutual-TLS client authentication.

Normative Requirements

A client using the tls_client_auth authentication method

MUST
1
  1. RFC 8705 - Section 2.1.2

    use exactly one of the listed metadata parameters to indicate the certificate subject value expected by the authorization server.

    A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters

Validation Guidance

error

Reject a tls_client_auth registration that specifies tls_client_auth_san_dns together with another certificate-subject metadata parameter listed in Section 2.1.2.

info

Validate tls_client_auth_san_dns as a string containing the expected dNSName SAN value.

info

Treat this parameter as client metadata supporting the PKI method of mutual-TLS client authentication.

Reference

Details

Entry Id
tls_client_auth_san_dns
Client Metadata Name
tls_client_auth_san_dns
Client Metadata Description
String value specifying the expected dNSName SAN entry in the client certificate.
Change Controller
IESG
Reference
RFC8705 - Section 2.1.2