Client Authentication -- Do we need TLS mutual authentication?

Issue #16 resolved
Nat Sakimura created an issue

It is OK for Web server clients/Aggregators, but it is completely unworkable for Smartphone Apps etc.

Is it not better to replace it with something like PKCE, Token Binding and OS Supported App Attestation where applicable?

Comments (11)

  1. Nat Sakimura reporter

    What do you think about the Read Only API? Do we still need token binding or strengthened OAuth as it is written in WD1 enough?

  2. Nat Sakimura reporter

    Suggests replacing the bullets in 5.2.3 Confidential clients

    • shall authenticate the client with client secret to access the Token Endpoint as in Section 4.1.3 of RFC6749;


    • shall authenticate to the token endpoint using the client_secret_jwt or private_key_jwt method as described in section 9 of [OIDC];
    • shall use HMAC SHA-256 algorithm where client_secret_jwt method is used;
    • shall use the previously registered algorithm to sign the token where private_key_jwt method is used;
  3. Sascha Preibisch

    Mutual TLS should be allowed for any client (which may also be a server). Some frameworks for clients generate private keys, others customers push them to mobile devices via MDM solutions. They may want to leverage the private keys for those connections.

  4. Nat Sakimura reporter

    @SaschaZeGerman, we discussed about it two calls ago and assigned to @ve7jtb to come up with a separate documentation to how to do the client TLS auth. We currently do not have a good documentation to point to. For the time being, we should just put in a place holder. Basically, the direction is as recorded in #33, i.e.,

    Mandate either:

    • TLS Mutual Auth to the token endpoint according to new_tls_client_auth_doc
    • JWS Assertion Client Auth to the token endpoint (cf. OIDC.)
  5. Log in to comment