oauth2.dev

tls_client_auth_subject_dn

IESG

Registry Context

This client metadata field identifies the expected subject distinguished name of the certificate used by a client for tls_client_auth authentication. Such a client must use exactly one of the certificate-subject metadata parameters defined in RFC 8705 Section 2.1.2.

Technical Summary

tls_client_auth_subject_dn contains an RFC 4514 string representation of the expected subject distinguished name of the certificate that the OAuth client will use for mutual-TLS authentication.

When Used

Used with OAuth 2.0 Dynamic Client Registration to convey the expected certificate subject when the client uses the PKI mutual-TLS client authentication method tls_client_auth.

Normative Requirements

A client using the tls_client_auth authentication method

MUST
1
  1. RFC 8705 - Section 2.1.2

    use exactly one of the certificate-subject metadata parameters defined in Section 2.1.2 to indicate the certificate subject value expected by the authorization server.

    A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters

Validation Guidance

error

When the client authentication method is tls_client_auth, require exactly one of tls_client_auth_subject_dn, tls_client_auth_san_dns, tls_client_auth_san_uri, tls_client_auth_san_ip, or tls_client_auth_san_email.

error

When tls_client_auth_subject_dn is present, validate that its value is a string representation of the expected subject distinguished name as defined by RFC 4514.

Reference

Details

Entry Id
tls_client_auth_subject_dn
Client Metadata Name
tls_client_auth_subject_dn
Client Metadata Description
String value specifying the expected subject DN of the client certificate.
Change Controller
IESG
Reference
RFC8705 - Section 2.1.2