tls_ client_ auth_ san_ dns
Registry Context
A client registration metadata parameter that specifies the expected dNSName subject alternative name in the certificate used for mutual-TLS client authentication.
Technical Summary
RFC 8705 defines tls_client_auth_san_dns as a string containing the value of an expected dNSName SAN entry in the certificate used by an OAuth client for mutual-TLS authentication.
When Used
During OAuth 2.0 Dynamic Client Registration to convey the expected certificate subject for the PKI method of mutual-TLS client authentication.
Normative Requirements
A client using the tls_client_auth authentication method
RFC 8705 - Section 2.1.2
use exactly one of the listed metadata parameters to indicate the certificate subject value expected by the authorization server.
A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters
Validation Guidance
Reject a tls_client_auth registration that specifies tls_client_auth_san_dns together with another certificate-subject metadata parameter listed in Section 2.1.2.
Validate tls_client_auth_san_dns as a string containing the expected dNSName SAN value.
Treat this parameter as client metadata supporting the PKI method of mutual-TLS client authentication.
Reference
Details
- Entry Id
tls_client_ auth_ san_ dns - Client Metadata Name
tls_client_ auth_ san_ dns - Client Metadata Description
String value specifying the expected dNSName SAN entry in the client certificate.- Change Controller
IESG- Reference
RFC8705 - Section 2.1.2