- changed status to open
Client Authentication -- Do we need TLS mutual authentication?
It is OK for Web server clients/Aggregators, but it is completely unworkable for Smartphone Apps etc.
Is it not better to replace it with something like PKCE, Token Binding and OS Supported App Attestation where applicable?
Comments (16)
-
reporter -
I agree. For apps, token binding is hopefully the solution
-
reporter What do you think about the Read Only API? Do we still need token binding or strengthened OAuth as it is written in WD1 enough?
-
reporter -
assigned issue to
Assigning this ticket to John for strengthening the profile specified in section 5 and 6.
-
assigned issue to
-
reporter Suggests replacing the bullets in 5.2.3 Confidential clients
- shall authenticate the client with client secret to access the Token Endpoint as in Section 4.1.3 of RFC6749;
with
- shall authenticate to the token endpoint using the
client_secret_jwt
orprivate_key_jwt
method as described in section 9 of [OIDC]; - shall use
HMAC SHA-256
algorithm whereclient_secret_jwt
method is used; - shall use the previously registered algorithm to sign the token where
private_key_jwt
method is used;
-
We should also allow mutual TLS for server to server confidential clients.
-
Mutual TLS should be allowed for any client (which may also be a server). Some frameworks for clients generate private keys, others customers push them to mobile devices via MDM solutions. They may want to leverage the private keys for those connections.
-
reporter @SaschaZeGerman, we discussed about it two calls ago and assigned to @ve7jtb to come up with a separate documentation to how to do the client TLS auth. We currently do not have a good documentation to point to. For the time being, we should just put in a place holder. Basically, the direction is as recorded in
#33, i.e.,Mandate either:
- TLS Mutual Auth to the token endpoint according to new_tls_client_auth_doc
- JWS Assertion Client Auth to the token endpoint (cf. OIDC.)
-
reporter Now the draft is available as:
Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
-
reporter - changed component to Part 1: RO Security
-
reporter - edited description
- changed status to resolved
-
reporter - changed component to Part 1: Baseline
-
reporter - changed component to FAPI 1 - Part 1: Baseline
-
reporter - changed component to FAPI 1 – Part 1: Baseline
-
reporter - changed component to FAPI 1 – Baseline
-
reporter - changed component to FAPI 1: Baseline
- Log in to comment
Variable security level seems to be a good idea.