Currently FAPI RW has this clause:
shall only issue authorization code, access token, and refresh token that are holder of key bound;
This has caused some misunderstanding, e.g. https://github.com/ConsumerDataStandardsAustralia/infosec/issues/31
However there is an issue with the clause:
- both the code and the refresh token are used at the token endpoint
- we require the client to authenticate to that endpoint using either MTLS or private_key_jwt
- however we state that only OAUTB or MTLS must be used as holder of key mechanisms
- therefore strictly speaking we can only support private_key_jwt at the token endpoint if it is used with OAUTB or MTLS.
I don't think this makes sense and I suggest we remove the requirement that the refresh token and authorization code are holder of key bound.
The requirement that the client has to use asymmetric crypto to authenticate at the token endpoint has the same effect - and in practice is what I believe that people have interpreted the spec to mean.