tls_ client_ auth_ subject_ dn
Registry Context
This client metadata field identifies the expected subject distinguished name of the certificate used by a client for tls_client_auth authentication. Such a client must use exactly one of the certificate-subject metadata parameters defined in RFC 8705 Section 2.1.2.
Technical Summary
tls_client_auth_subject_dn contains an RFC 4514 string representation of the expected subject distinguished name of the certificate that the OAuth client will use for mutual-TLS authentication.
When Used
Used with OAuth 2.0 Dynamic Client Registration to convey the expected certificate subject when the client uses the PKI mutual-TLS client authentication method tls_client_auth.
Normative Requirements
A client using the tls_client_auth authentication method
RFC 8705 - Section 2.1.2
use exactly one of the certificate-subject metadata parameters defined in Section 2.1.2 to indicate the certificate subject value expected by the authorization server.
A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters
Validation Guidance
When the client authentication method is tls_client_auth, require exactly one of tls_client_auth_subject_dn, tls_client_auth_san_dns, tls_client_auth_san_uri, tls_client_auth_san_ip, or tls_client_auth_san_email.
When tls_client_auth_subject_dn is present, validate that its value is a string representation of the expected subject distinguished name as defined by RFC 4514.
Reference
Details
- Entry Id
tls_client_ auth_ subject_ dn - Client Metadata Name
tls_client_ auth_ subject_ dn - Client Metadata Description
String value specifying the expected subject DN of the client certificate.- Change Controller
IESG- Reference
RFC8705 - Section 2.1.2