There following changes to RFC 8705 have been proposed: - introduce a new error code (e.g. "invalid_mtls_certificate") to be used when the certificate is required by the AS/RS, but the underlying stack has been misconfigured and the client didn't send one; - for bound token use, change Authorization scheme from Bearer to MTLS; - for token response returning a bound token, change token_type from Bearer to MTLS
See discussion: https://mailarchive.ietf.org/arch/msg/oauth/XfeH2q0Rwa2YocsR484xk-8LMqc/ Accepting the changes would imply a new RFC and the obsolescence of the current one. Two questions so far: - what's the group's general stance on this, would that be a welcome change? - if so, could we also hear from the implementors if there any other issues / suggested changes. Dmitry Backbase / Keycloak
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
