oauth2.dev

tls_client_auth

IESG

Registry Context

tls_client_auth is an OAuth client authentication method that uses mutual TLS and the PKI method to associate a certificate subject with a client.

Technical Summary

RFC 8705 registers tls_client_auth in the OAuth Token Endpoint Authentication Methods registry. Authentication uses a validated certificate chain and one expected subject distinguished name or subject alternative name configured or registered for the client.

When Used

Use when an authorization server requires a client to authenticate using a mutually authenticated TLS connection and the PKI certificate-association method.

Normative Requirements

Clients

MUST
2
  1. RFC 8705 - Section 2

    include the client_id parameter.

    Condition: for every request to the authorization server that uses mutual-TLS client authentication

    the client MUST include the client_id parameter

  2. RFC 8705 - Section 2.1.2

    use exactly one certificate-subject metadata parameter to indicate the certificate subject value expected by the authorization server.

    Condition: when using the tls_client_auth authentication method

    A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters

Authorization servers

MUST
1
  1. RFC 8705 - Section 2

    enforce the binding between the client and its certificate using the PKI mutual-TLS method.

    Condition: when processing mutual-TLS client authentication using tls_client_auth

    The authorization server MUST enforce the binding between client and certificate

client and authorization server

MUST
1
  1. RFC 8705 - Section 2

    establish or re-establish their TLS connection using mutual-TLS X.509 certificate authentication.

    Condition: to use TLS for OAuth client authentication

    the TLS connection between the client and the authorization server MUST have been established or re-established with mutual-TLS X.509 certificate authentication

Validation Guidance

error

Verify that the TLS connection was established or re-established with mutual-TLS X.509 certificate authentication.

error

Verify that each request using tls_client_auth includes the client_id parameter.

error

Verify that the presented certificate is bound to the identified client using the PKI method described in RFC 8705 Section 2.1.

error

Verify that client metadata for tls_client_auth contains exactly one of tls_client_auth_subject_dn, tls_client_auth_san_dns, tls_client_auth_san_uri, tls_client_auth_san_ip, or tls_client_auth_san_email.

Reference

Details

Entry Id
tls_client_auth
Token Endpoint Authentication Method Name
tls_client_auth
Change Controller
IESG
Reference
RFC8705 - Section 2.1.1