oauth2.dev

tls_client_auth_san_ip

IESG

Registry Context

This client metadata identifies the IP-address SAN value expected in the certificate used by a client for PKI mutual-TLS authentication.

Technical Summary

`tls_client_auth_san_ip` is an OAuth 2.0 Dynamic Client Registration metadata parameter for the `tls_client_auth` method. Its value is an IPv4 address in dotted-decimal notation or an IPv6 address in RFC 5952 colon-delimited hexadecimal notation. It identifies an expected `iPAddress` SAN entry, and comparison with the certificate entry is performed in binary format.

When Used

When registering a client that uses the `tls_client_auth` PKI mutual-TLS client authentication method.

Normative Requirements

Clients

MUST
1
  1. RFC 8705 - Section 2.1.2

    Use exactly one of the defined mutual-TLS client authentication metadata parameters to identify the certificate subject value expected by the authorization server..

    Condition: When using the `tls_client_auth` authentication method.

    A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters

Validation Guidance

error

For a client using `tls_client_auth`, require exactly one of the defined certificate-subject metadata parameters; reject registrations containing none or more than one.

error

Verify that `tls_client_auth_san_ip` is an IPv4 address in dotted-decimal notation or an IPv6 address in RFC 5952 colon-delimited hexadecimal notation.

error

Compare the configured address with the certificate's `iPAddress` SAN entry in binary format.

Reference

Details

Entry Id
tls_client_auth_san_ip
Client Metadata Name
tls_client_auth_san_ip
Client Metadata Description
String value specifying the expected iPAddress SAN entry in the client certificate.
Change Controller
IESG
Reference
RFC8705 - Section 2.1.2