In the upcoming revision of the draft I've reworked and moved that section [1] so that it is more focused on public clients and certificate bound tokens (see [a]). But yes, I think it comes down to saying that a client that is expecting to use MTLS (for whatever reason: bound tokens or client auth or both) for something would use the mtls-specific endpoint when making the request (or the regular endpoint, if no mtls-specific endpoint is present). And yeah the AS would accept other client auth methods (including none for public clients) at the mtls token endpoint. Maybe a hundred messages back in this whole thread, at one point anyway, I used the word alias for the endpoint to try and capture the idea that it would most likely be the same application logic and the mtls endpoint would just be on a different host/port to allow the TLS layer to be set up differently for the different context. Maybe that name and/or idea should resurface?
[a] https://github.com/ietf-oauth-mtls/i-d/commit/d1c1db18e62db2cf7665f69d3162a391ba1aa03c On Fri, Feb 15, 2019 at 1:33 PM Neil Madden <neil.mad...@forgerock.com> wrote: > As another case - if the client wants certificate-bound access tokens but > still authenticates with client_secret_basic or is a public client (as per > [1]), presumably it can use the mtls-specific endpoints and assume they > support all the other authentication methods as the normal endpoints? > > But so long as we can define some half-sensible behaviour for these cases, > I’m happy with this proposal. > > [1] https://tools.ietf.org/html/draft-ietf-oauth-mtls-12#section-4.3 > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
