Yes. I was more wondering if the app can invoke the system embedded view using its own key pair to ensure protected authen.
Eg. If the authorization endpoint is set to require mutual tls, can the system view use the app’s keys since the app is invoking it? Or, would there have to be a user x.509 cert embedded in the browser store? I agree browser based apps is another matter. Phil > On May 2, 2019, at 11:27 PM, Torsten Lodderstedt <tors...@lodderstedt.net> > wrote: > > Hi Phil, > > since mTLS is used at the tokens endpoint, native apps can definitely use > their own key pair. I would asunder such an app to act as public client, but > mTLS would allow such an app to bind its key pair with the token request to > the issued tokens. > > Apps running in the browser is a separate topic. There are potential issues > with using the certs in the browser. That’s why work towards an application > level PoP mechanism has been started - DPoP. > > best regards, > Torsten. > >> Am 02.05.2019 um 20:41 schrieb Phil Hunt <phil.h...@oracle.com>: >> >> I was wondering if anyone had any recommended MTLS best practices for mobile >> apps and native browsers. >> >> Considering Section 6 of RFC8252… >> After constructing the authorization request URI, the app uses >> platform-specific APIs to open the URI in an external user-agent. >> Typically, the external user-agent used is the default browser, that >> is, the application configured for handling "http" and "https" scheme >> URIs on the system; however, different browser selection criteria and >> other categories of external user-agents MAY be used. >> >> What choices do developers have to ensure the authorization (and subsequent >> user authentication) occur over MTLS? Can the app provide its own key for >> MTLS or can it ask that an embedded X.509 cert be used (assuming one is >> available)? >> >> Are there any platform issues or best practices? >> >> Phil Hunt | Cloud Security and Identity Architect >> Oracle Corporation, Oracle Cloud Infrastructure >> @independentid >> www.independentid.com >> phil.h...@oracle.com >> >> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
