openid / fapi / issues / #16 - Client Authentication -- Do we need TLS mutual authentication? — Bitbucket

Issue #16 resolved

Nat Sakimura created an issue 2016-08-02

It is OK for Web server clients/Aggregators, but it is completely unworkable for Smartphone Apps etc.

Is it not better to replace it with something like PKCE, Token Binding and OS Supported App Attestation where applicable?

Comments (16)

Nat Sakimura reporter
- changed status to open
Variable security level seems to be a good idea.
- 2016-08-02T23:53:11+00:00
Dave Tonge
I agree. For apps, token binding is hopefully the solution
- 2016-08-10T07:55:18+00:00
Nat Sakimura reporter
What do you think about the Read Only API? Do we still need token binding or strengthened OAuth as it is written in WD1 enough?
- 2016-09-13T14:52:46+00:00
Nat Sakimura reporter
- assigned issue to
  
  John Bradley
Assigning this ticket to John for strengthening the profile specified in section 5 and 6.
- 2016-09-20T08:47:06+00:00
Nat Sakimura reporter
Suggests replacing the bullets in 5.2.3 Confidential clients
- shall authenticate the client with client secret to access the Token Endpoint as in Section 4.1.3 of RFC6749;
with
- shall authenticate to the token endpoint using the client_secret_jwt or private_key_jwt method as described in section 9 of [OIDC];
- shall use HMAC SHA-256 algorithm where client_secret_jwt method is used;
- shall use the previously registered algorithm to sign the token where private_key_jwt method is used;
- 2016-09-20T21:55:05+00:00
John Bradley
We should also allow mutual TLS for server to server confidential clients.
- 2016-09-20T23:30:52+00:00
Sascha Preibisch
Mutual TLS should be allowed for any client (which may also be a server). Some frameworks for clients generate private keys, others customers push them to mobile devices via MDM solutions. They may want to leverage the private keys for those connections.
- 2016-09-25T08:15:34+00:00
Nat Sakimura reporter
@SaschaZeGerman, we discussed about it two calls ago and assigned to @ve7jtb to come up with a separate documentation to how to do the client TLS auth. We currently do not have a good documentation to point to. For the time being, we should just put in a place holder. Basically, the direction is as recorded in ~~#33~~, i.e.,

Mandate either:
- TLS Mutual Auth to the token endpoint according to new_tls_client_auth_doc
- JWS Assertion Client Auth to the token endpoint (cf. OIDC.)
- 2016-09-29T08:30:24+00:00
Nat Sakimura reporter
Now the draft is available as:

Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
- 2016-11-29T05:22:08+00:00
Nat Sakimura reporter
- changed component to Part 1: RO Security
- 2016-12-13T17:25:17+00:00
Nat Sakimura reporter
- edited description
- changed status to resolved
- 2018-01-29T17:10:48+00:00
Nat Sakimura reporter
- changed component to Part 1: Baseline
- 2022-12-14T15:35:52+00:00
Nat Sakimura reporter
- changed component to FAPI 1 - Part 1: Baseline
- 2022-12-14T15:36:25+00:00
Nat Sakimura reporter
- changed component to FAPI 1 – Part 1: Baseline
- 2022-12-14T15:36:58+00:00
Nat Sakimura reporter
- changed component to FAPI 1 – Baseline
- 2022-12-14T15:38:20+00:00
Nat Sakimura reporter
- changed component to FAPI 1: Baseline
- 2022-12-14T15:39:08+00:00
Log in to comment

Assignee: John Bradley

Type: proposal

Priority: major

Status: resolved

Component: FAPI 1: Baseline

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!