CIBA's OAuth MTLS reference fix/update
Sec 4 of the latest CIBA draft from source on Polling and Pairwise Identifiers says that "it is MANDATORY for the Client to authenticate the token endpoint using one of this two mechanisms" and then cites "Mutual TLS as defined in section 3 Mutual TLS Sender Constrained Resources Access of the [I-D.ietf-oauth-mtls]" as one of the mechanisms. However, section 3 of the OAuth MTLS draft isn't about client authentication so pointing to it in that context doesn't really make sense.
Mutual TLS for OAuth Client Authentication is defined in section 2 of that document and more specifically the Self-Signed Certificate Mutual TLS OAuth Client Authentication Method is defined in sec 2.2 and is probably the more appropriate reference here because it (potentially) makes use of the client's jwks_uri.
Also just noticed that the "this" should be "these" in that first sentence quoted.
I-D.ietf-oauth-mtls is at draft -09 now (rather than -07) and hopefully a real RFC soon (by IETF time anyway).
http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20180709/001198.html
Comments (10)
-
reporter -
reporter Pull request attempting to address this: https://bitbucket.org/openid/mobile/pull-requests/11/fix-update-cibas-oauth-mtls-reference/diff
-
- changed status to resolved
merged PR
-
- changed status to open
The ticket description says to use Self-Signed Certificate Mutual TLS OAuth Client Authentication Method defined in sec 2.2 of that draft but somehow the text in the CIBA document says 2.1 PKI method. Which should be fixed.
-
Pull request #43 updates to say Self-Signed Certificate Mutual TLS OAuth Client Authentication Method rather than the PKI method
-
-
assigned issue to
-
assigned issue to
-
I think we may need to clarify in the text why only Self-signed is appropriate.
-
-
- changed milestone to CIBA Implementer's Draft
-
- changed status to resolved
Merged pull request
- Log in to comment
-10 now