tls_ client_ auth_ san_ ip
Registry Context
This client metadata identifies the IP-address SAN value expected in the certificate used by a client for PKI mutual-TLS authentication.
Technical Summary
`tls_client_auth_san_ip` is an OAuth 2.0 Dynamic Client Registration metadata parameter for the `tls_client_auth` method. Its value is an IPv4 address in dotted-decimal notation or an IPv6 address in RFC 5952 colon-delimited hexadecimal notation. It identifies an expected `iPAddress` SAN entry, and comparison with the certificate entry is performed in binary format.
When Used
When registering a client that uses the `tls_client_auth` PKI mutual-TLS client authentication method.
Normative Requirements
Clients
RFC 8705 - Section 2.1.2
Use exactly one of the defined mutual-TLS client authentication metadata parameters to identify the certificate subject value expected by the authorization server..
Condition: When using the `tls_client_auth` authentication method.
A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters
Validation Guidance
For a client using `tls_client_auth`, require exactly one of the defined certificate-subject metadata parameters; reject registrations containing none or more than one.
Verify that `tls_client_auth_san_ip` is an IPv4 address in dotted-decimal notation or an IPv6 address in RFC 5952 colon-delimited hexadecimal notation.
Compare the configured address with the certificate's `iPAddress` SAN entry in binary format.
Reference
Details
- Entry Id
tls_client_ auth_ san_ ip - Client Metadata Name
tls_client_ auth_ san_ ip - Client Metadata Description
String value specifying the expected iPAddress SAN entry in the client certificate.- Change Controller
IESG- Reference
RFC8705 - Section 2.1.2