FAPI 2 Baseline - Client types

Issue #336 resolved
Steinar Noem created an issue

Should/could the Baseline profile reference the enhancements in OAuth 2.1 concerning client (authentication) types for the AS?

At the moment there is a requirement on both the AS and the Client to support client authentication, and I guess that the type of authentication is implicit (mTLS or private_key_jwt).

My experience is that an API will often want to know a little bit more about which type of client it communicates with.

Comments (7)

  1. Steinar Noem reporter

    Yes..

    Well, I’m not really sure if it belongs in FAPI tbh.. Might be more of a topic for the 2.1 group perhaps?

    But I think there are some “subtleties” regarding client types and their client secrets. E.g. if a “credentialed” client uses a client certificate that is issued by a trust service provider it will probably do something with the level of trust that an OP/AS and API will have to the client.

    I guess my question is whether FAPI would describe different requirements depending on different permutations of authentication/secret types (e.g. TSP CAs) and the client types in OAuth 2.1?

  2. Log in to comment