- changed title to oauth2 Profile - 2.3.2 @torsten comment
oauth2 Profile - 2.3.2 @torsten comment
2.3.2
„Full clients, native clients with dynamically registered keys, and direct access clients as defined above MUST authenticate to the authorization server's token endpoint using a JWT assertion as defined by the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants using only the private_key_jwt method defined in OpenID Connect Core.“
I understand requirement for public key crypto, but mTLS would fulfill this requirement as well. I recommend to include it.
Note: You raise the bar for client authentication while at the same time allowing unauthenticated/public clients. How does this match the intended increase in baseline security as stated in the introduction?
Comments (4)
-
Account Deactivated reporter -
Account Deactivated reporter Not doing client jwt for key mgmt issues.
-
Add other forms of public key crypto.
Make a note that client_secret_jwt is not recommended due to key management challenges and not specific security concerns.
-
- changed status to resolved
Added mTLS
- Log in to comment