Are you hoping to use the key to authenticate the user, or the OAuth
client? If it's the latter, then you don't need to use MTLS to the
authorisation endpoint. If it's the former, I'd argue that you would
certainly need to include your public key in an X509 cert and *somehow*
make it available to the system browser.

On Fri, 3 May 2019 at 08:07, Phil Hunt <phil.h...@oracle.com> wrote:

> Yes. I was more wondering if the app can invoke the system embedded view
> using its own key pair to ensure protected authen.
>
> Eg. If the authorization endpoint is set to require mutual tls, can the
> system view use the app’s keys since the app is invoking it?
>
> Or, would there have to be a user x..509 cert embedded in the browser
> store?
>
> I agree browser based apps is another matter.
>
> Phil
>
> On May 2, 2019, at 11:27 PM, Torsten Lodderstedt <tors...@lodderstedt.net>
> wrote:
>
> Hi Phil,
>
> since mTLS is used at the tokens endpoint, native apps can definitely use
> their own key  pair. I would asunder such an app to act as public client,
> but mTLS would allow such an app to bind its key pair with the token
> request to the issued tokens.
>
> Apps running in the browser is a separate topic. There are potential
> issues with using the certs in the browser. That’s why work towards an
> application level PoP mechanism has been started - DPoP.
>
> best regards,
> Torsten.
>
> Am 02.05.2019 um 20:41 schrieb Phil Hunt <phil.h...@oracle.com>:
>
> I was wondering if anyone had any recommended MTLS best practices for
> mobile apps and native browsers.
>
> Considering Section 6 of RFC8252…
>
>    After constructing the authorization request URI, the app uses
>    platform-specific APIs to open the URI in an external user-agent.
>    Typically, the external user-agent used is the default browser, that
>    is, the application configured for handling "http" and "https" scheme
>    URIs on the system; however, different browser selection criteria and
>    other categories of external user-agents MAY be used.
>
>
> What choices do developers have to ensure the authorization (and
> subsequent user authentication) occur over MTLS? Can the app provide its
> own key for MTLS or can it ask that an embedded X.509 cert be used
> (assuming one is available)?
>
> Are there any platform issues or best practices?
>
> Phil Hunt | Cloud Security and Identity Architect
> Oracle Corporation, Oracle Cloud Infrastructure
> @independentid
> www.independentid.com
> phil.h...@oracle.com
>
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Rob Otto
EMEA Field CTO/Solutions Architect
robo...@pingidentity.com

c: +44 (0) 777 135 6092
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.pingidentity.com/content/ping/en/lp/d/p14e-trial.html>
<https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig>
<https://www.pingidentity.com/en/lp/d/p14e-trial.html?utm_source=Email&utm_medium=p14e-trial-sso-mfa-emailsig&utm_campaign=p14e-trial-sso-mfa-emailsig>
<https://developer.pingidentity.com/en/signup.html>
<https://developer.pingidentity.com/en/signup.html>
<https://developer.pingidentity.com/en/signup.html>
<https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link>
<https://developer.pingidentity.com/en/signup.html?utm_source=email&utm_medium=P14C-Trial-Email&utm_campaign=P14C-Trial-Email&utm_content=link>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to