tls_ client_ auth
Registry Context
tls_client_auth is an OAuth client authentication method that uses mutual TLS and the PKI method to associate a certificate subject with a client.
Technical Summary
RFC 8705 registers tls_client_auth in the OAuth Token Endpoint Authentication Methods registry. Authentication uses a validated certificate chain and one expected subject distinguished name or subject alternative name configured or registered for the client.
When Used
Use when an authorization server requires a client to authenticate using a mutually authenticated TLS connection and the PKI certificate-association method.
Normative Requirements
Clients
RFC 8705 - Section 2
include the client_id parameter.
Condition: for every request to the authorization server that uses mutual-TLS client authentication
the client MUST include the client_id parameter
RFC 8705 - Section 2.1.2
use exactly one certificate-subject metadata parameter to indicate the certificate subject value expected by the authorization server.
Condition: when using the tls_client_auth authentication method
A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters
Authorization servers
RFC 8705 - Section 2
enforce the binding between the client and its certificate using the PKI mutual-TLS method.
Condition: when processing mutual-TLS client authentication using tls_client_auth
The authorization server MUST enforce the binding between client and certificate
client and authorization server
RFC 8705 - Section 2
establish or re-establish their TLS connection using mutual-TLS X.509 certificate authentication.
Condition: to use TLS for OAuth client authentication
the TLS connection between the client and the authorization server MUST have been established or re-established with mutual-TLS X.509 certificate authentication
Validation Guidance
Verify that the TLS connection was established or re-established with mutual-TLS X.509 certificate authentication.
Verify that each request using tls_client_auth includes the client_id parameter.
Verify that the presented certificate is bound to the identified client using the PKI method described in RFC 8705 Section 2.1.
Verify that client metadata for tls_client_auth contains exactly one of tls_client_auth_subject_dn, tls_client_auth_san_dns, tls_client_auth_san_uri, tls_client_auth_san_ip, or tls_client_auth_san_email.
Reference
Details
- Entry Id
tls_client_ auth - Token Endpoint Authentication Method Name
tls_client_ auth - Change Controller
IESG- Reference
RFC8705 - Section 2.1.1