1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

certification query: supply of TLS client certs & use of mtls_endpoint_aliases

Issue #493 resolved
Joseph Heenan created an issue

I’m no longer sure how to implement TLS client certs and mtls_endpoint_aliases in the conformance suite, and would appreciate guidance from the working group:

In FAPIRWID2, this was pretty simple - MTLS sender constraining was required, so regardless of the client authentication in use we had to supply a TLS certificate at every endpoint (where “every” really means “token endpoint” as that’s the only endpoint that really gets used in the tests), and hence always used the mtls_endpoint_aliases version of the endpoint if one was present.

In FAPI1Adv final, that mostly remained the case, at least until people started using PAR.

In FAPI2Baseline/Advanced, it gets increasingly complex as we consider using DPoP instead of RFC8705 MTLS sender constraining, so there’s now cases where we never supply an MTLS client cert.

The complications happen when ecosystems then decide they also want to require an MTLS client certificate everywhere but want to use private_key_jwt client authentication (I think they’re essentially going for multi-layer defences, i.e. the same reasoning why we have the option for http signatures).

The current logic the suite has for the token endpoint is essentially:

if (usingMTLSClientAuth || usingMTLSSenderConstraining || ecosystemRequiresTLSClientCertEverywhere) {
    supplyMTLSCert = true;
}
url = server["token_endpoint"]
if (supplyMTLSCert && mtlsEndpointAliases.has(“token_endpoint”)) {
    url = mtlsEndpointAliases[“token_endpoint”]
}

For the PAR endpoint, it’s similar, except usingMTLSSenderConstraining is not checked.

For the user info endpoint, it’s similar except usingMTLSClientAuth is not checked.

Part of the reason for this logic is that I think if a self-signed TLS cert is in use for sender-constraining (combined with private_key_jwt client auth), there’s no requirement in the specs that presenting that self-signed cert at an MTLS aliased PAR endpoint will result in a successful call. (One option would be to detect a self-signed cert and add that into the above logic.)

This logic appears to differ from that in at least some clients, where I think they assume that any supplied MTLS cert is just presented at all endpoints, but they use the mtls_endpoint_aliases only in the case where at least one element of RFC8705 is in play.

I think the further complexity is just because the server is supporting an ecosystem that requires TLS client certs to be presented everywhere, it isn’t implied that other use cases the server supports will require TLS client certs.

I’m not clear what the correct logic is, but the current situation is giving rise to interoperability issues and would appreciate guidance as to what the correct logic is. (We also have RP tests that reflect some of this.)

Comments (6)

  1. Joseph Heenan reporter

    We discussed this on today’s working group call.

    Essentially this case is currently out of scope for FAPI / RFC8705 and hence the behaviour is not currently defined anywhere. This represents a possibility for different clients/authorization servers/ecosystems deciding different things and interoperability problems resulting.

    There are arguments that can be made both ways.

    1. That adding MTLS to all endpoints is a transport level (i.e. similar to a VPN) and that clients using private_key_jwt client authentication at the PAR endpoint are not using anything from RFC8705, and hence mtls_endpoint_aliases should not be processed for this case (and hence the endpoint in the root of the server metadata should be used).
    2. That the purpose of mtls_endpoint_aliases was to allow some endpoints to optionally require MTLS, allowing public clients running in a browser to interact with an AS without popping up ‘choose a certificate’ dialogues to the user, and following the logic in ‘1' would prevent authorization servers that support a 'FAPI with private_key_jwt and mandatory MTLS’ from also supporting those kind of clients for non-FAPI use cases.

    There seemed to be a consensus towards '1'.

    All 3 major FAPI ecosystems seem to have this ‘mandatory MTLS’ problem (UK OpenBanking, Brazil OpenBanking, Australia ConsumerDataRights), I believe there weren’t any clear objections to adding a note to the specs to try and head off the interoperability issue.

  2. Tom Jones

    People need to be clear about what MTLS actually means. It does not identity subjects, but computers. If that is helpful (for trusting clients) great. But don’t try to use it to like channel binding which has been rejected in the past for the reasons sited above (separation of concerns.)

  7. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
FAPI2: Message Signing
Milestone
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!