CIBA's OAuth MTLS reference fix/update

Issue #72 resolved
Brian Campbell created an issue

Sec 4 of the latest CIBA draft from source on Polling and Pairwise Identifiers says that "it is MANDATORY for the Client to authenticate the token endpoint using one of this two mechanisms" and then cites "Mutual TLS as defined in section 3 Mutual TLS Sender Constrained Resources Access of the [I-D.ietf-oauth-mtls]" as one of the mechanisms. However, section 3 of the OAuth MTLS draft isn't about client authentication so pointing to it in that context doesn't really make sense.

Mutual TLS for OAuth Client Authentication is defined in section 2 of that document and more specifically the Self-Signed Certificate Mutual TLS OAuth Client Authentication Method is defined in sec 2.2 and is probably the more appropriate reference here because it (potentially) makes use of the client's jwks_uri.

Also just noticed that the "this" should be "these" in that first sentence quoted.

I-D.ietf-oauth-mtls is at draft -09 now (rather than -07) and hopefully a real RFC soon (by IETF time anyway).

http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20180709/001198.html

Comments (10)

  1. Brian Campbell
    • changed status to open

    The ticket description says to use Self-Signed Certificate Mutual TLS OAuth Client Authentication Method defined in sec 2.2 of that draft but somehow the text in the CIBA document says 2.1 PKI method. Which should be fixed.

  2. Brian Campbell

    Pull request #43 updates to say Self-Signed Certificate Mutual TLS OAuth Client Authentication Method rather than the PKI method

  3. Brian Campbell

    Updated Pull request #43 with bb46d77 to explain a bit more why self-signed MTLS (and private_key_jwt) with jwks_uri work for PPIDs by showing that the jwks_uri belongs to the client

  4. Log in to comment