- changed status to resolved
Confidential clients must support specific authentication methods to AS token endpoint
Clients and AS should support both MTLS and private_key_jwt to afford the option, but must support one or the other:
iGov current:
[2.3.2] Full clients, native clients with dynamically registered keys, and direct access clients as defined above MUST authenticate to the authorization server's token endpoint using a JWT assertion as defined by the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants using only the private_key_jwt method defined in OpenID Connect Core. The JWT assertion MUST be signed by the client using the client's private key.
FAPI2:
[5.3.1.1] #6 The AS shall authenticate clients using one of the following methods:
• MTLS as specified in section 2 of [RFC8705]
• private_key_jwt
Suggested statement to drive support:
[2.2.3] Confidential clients MUST support authentication to the authorization server's token endpoint using MTLS or private_key_jwt, and SHOULD support both MTLS and provate_key_jwt
.
Comments (1)
-
reporter - Log in to comment
Clarified in Issue
#45and resolved in PR #18