I was wondering if anyone had any recommended MTLS best practices for mobile apps and native browsers.
Considering Section 6 of RFC8252… After constructing the authorization request URI, the app uses platform-specific APIs to open the URI in an external user-agent. Typically, the external user-agent used is the default browser, that is, the application configured for handling "http" and "https" scheme URIs on the system; however, different browser selection criteria and other categories of external user-agents MAY be used. What choices do developers have to ensure the authorization (and subsequent user authentication) occur over MTLS? Can the app provide its own key for MTLS or can it ask that an embedded X.509 cert be used (assuming one is available)? Are there any platform issues or best practices? Phil Hunt | Cloud Security and Identity Architect Oracle Corporation, Oracle Cloud Infrastructure @independentid www.independentid.com phil.h...@oracle.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
