FAPI 2 Baseline - Client types
Should/could the Baseline profile reference the enhancements in OAuth 2.1 concerning client (authentication) types for the AS?
At the moment there is a requirement on both the AS and the Client to support client authentication, and I guess that the type of authentication is implicit (mTLS or private_key_jwt).
My experience is that an API will often want to know a little bit more about which type of client it communicates with.
Comments (7)
-
-
reporter Yes..
Well, I’m not really sure if it belongs in FAPI tbh.. Might be more of a topic for the 2.1 group perhaps?
But I think there are some “subtleties” regarding client types and their client secrets. E.g. if a “credentialed” client uses a client certificate that is issued by a trust service provider it will probably do something with the level of trust that an OP/AS and API will have to the client.
I guess my question is whether FAPI would describe different requirements depending on different permutations of authentication/secret types (e.g. TSP CAs) and the client types in OAuth 2.1?
-
- changed milestone to 3rd Implementers Draft
Maybe we should have some discussions about public / credentialed / confidential
-
FWIW the term credentialed client might or might not be taken out of 2.1 https://github.com/aaronpk/oauth-v2-1/issues/107 and generally speaking FAPI probably shouldn’t take dependencies on OAuth 2.1 at this point.
-
I agree Brian
I’ve added clarification that FAPI2 only supports confidential clients
https://bitbucket.org/openid/fapi/pull-requests/325/add-scope-and-terms
-
- changed status to resolved
-
- changed component to FAPI2: Security Profile
- Log in to comment
I’m not sure if I understand which enhancements from OAuth 2.1 you refer to. Those laid out in Section 2.1?