Are you hoping to use the key to authenticate the user, or the OAuth client? If it's the latter, then you don't need to use MTLS to the authorisation endpoint. If it's the former, I'd argue that you would certainly need to include your public key in an X509 cert and *somehow* make it available to the system browser.
On Fri, 3 May 2019 at 08:07, Phil Hunt <phil.h...@oracle.com> wrote: > Yes. I was more wondering if the app can invoke the system embedded view > using its own key pair to ensure protected authen. > > Eg. If the authorization endpoint is set to require mutual tls, can the > system view use the app’s keys since the app is invoking it? > > Or, would there have to be a user x..509 cert embedded in the browser > store? > > I agree browser based apps is another matter. > > Phil > > On May 2, 2019, at 11:27 PM, Torsten Lodderstedt <tors...@lodderstedt.net> > wrote: > > Hi Phil, > > since mTLS is used at the tokens endpoint, native apps can definitely use > their own key pair. I would asunder such an app to act as public client, > but mTLS would allow such an app to bind its key pair with the token > request to the issued tokens. > > Apps running in the browser is a separate topic. There are potential > issues with using the certs in the browser. That’s why work towards an > application level PoP mechanism has been started - DPoP. > > best regards, > Torsten. > > Am 02.05.2019 um 20:41 schrieb Phil Hunt <phil.h...@oracle.com>: > > I was wondering if anyone had any recommended MTLS best practices for > mobile apps and native browsers. > > Considering Section 6 of RFC8252… > > After constructing the authorization request URI, the app uses > platform-specific APIs to open the URI in an external user-agent. > Typically, the external user-agent used is the default browser, that > is, the application configured for handling "http" and "https" scheme > URIs on the system; however, different browser selection criteria and > other categories of external user-agents MAY be used. > > > What choices do developers have to ensure the authorization (and > subsequent user authentication) occur over MTLS? Can the app provide its > own key for MTLS or can it ask that an embedded X.509 cert be used > (assuming one is available)? > > Are there any platform issues or best practices? > > Phil Hunt | Cloud Security and Identity Architect > Oracle Corporation, Oracle Cloud Infrastructure > @independentid > www.independentid.com > phil.h...@oracle.com > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- <https://www.pingidentity.com>[image: Ping Identity] <https://www.pingidentity.com> Rob Otto EMEA Field CTO/Solutions Architect robo...@pingidentity.com c: +44 (0) 777 135 6092 Connect with us: [image: Glassdoor logo] <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> [image: LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter logo] <https://twitter.com/pingidentity> [image: facebook logo] <https://www.facebook.com/pingidentitypage> [image: youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo] <https://plus.google.com/u/0/114266977739397708540> [image: Blog logo] <https://www.pingidentity.com/en/blog.html> <https://www.pingidentity.com/content/ping/en/lp/d/p14e-trial.html> <https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig> <https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig> <https://developer.pingidentity.com/en/signup.html> <https://developer.pingidentity.com/en/signup.html> <https://developer.pingidentity.com/en/signup.html> <https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link> <https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link> -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth