Honestly it didn't even occur to me that someone would try this, since the entire point of the authorization endpoint is that it's the thing the user's browser talks to. Adding MTLS just means you're going to have to send the user to some other endpoint instead, which is then effectively acting as the authorization endpoint anyway. So yeah I could see adding some language around the authorization endpoint needing to be accessible by the user agent without MTLS or other funny stuff.
PAR also fits in nicely in that case since the PAR endpoint could be protected with MTLS since it *is* intended to only be accessible from the OAuth client. Aaron On Tue, May 25, 2021 at 4:38 PM Justin Richer <jric...@mit.edu> wrote: > I'm actually wondering if we should add discussion about not putting mtls > on the authorisation endpoint into OAuth 2.1. Aaron et al, thoughts? > > -Justin > ________________________________________ > From: A. Rothman [amich...@amichais.net] > Sent: Tuesday, May 25, 2021 7:03 PM > To: Justin Richer > Cc: Sascha Preibisch; IETF oauth WG > Subject: Re: [OAUTH-WG] Can a client send the Authorization Request? > > Justin, > > Thanks for this analysis. It pretty much sums up my own thoughts about > this better than I could have :-) > > I just hope I wasn't 'leading the witness' too much... I'll have to > double-check the details to make sure I didn't miss anything, but as I > understand it, that's more or less it. > > btw it occurred to me that PAR wouldn't solve this specific problem either > - if I understood correctly, it still ends with the user agent sending an > Authorization Request to the AS, just with PAR-specific parameters instead > of the usual ones... if so, and if the endpoint is still required to use > mTLS, thus needs to be sent by the client... it would just be kicking the > can down the road and violating the PAR spec instead. > > Thanks again for your time and explanations, > > Amichai > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
