oauth2.dev

tls_client_auth_san_email

IESG

Registry Context

This client metadata field specifies the expected rfc822Name SAN value in the certificate used for mutual-TLS authentication.

Technical Summary

An OAuth Dynamic Client Registration metadata parameter containing a string that identifies an expected rfc822Name subject alternative name entry for the PKI mutual-TLS client authentication method.

When Used

When a client using tls_client_auth identifies its certificate by an rfc822Name SAN entry.

Normative Requirements

A client using the tls_client_auth authentication method

MUST
1
  1. RFC 8705 - Section 2.1.2

    use exactly one of the PKI mutual-TLS client registration metadata parameters to indicate the certificate subject value expected by the authorization server.

    A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters

Validation Guidance

error

For a client using tls_client_auth, verify that exactly one PKI mutual-TLS subject metadata parameter is specified.

error

Verify that tls_client_auth_san_email is a string containing the expected rfc822Name SAN entry value.

Reference

Details

Entry Id
tls_client_auth_san_email
Client Metadata Name
tls_client_auth_san_email
Client Metadata Description
String value specifying the expected rfc822Name SAN entry in the client certificate.
Change Controller
IESG
Reference
RFC8705 - Section 2.1.2