Hi All, 1. RFC 8705, requires thumbprint confirmation of the client certificate. It is the same client certificate which is used by client application while establishing mutual-TLS with the authorisation server or the protected resource server. I have not found any specific methodology in the RFC to get this client certificate from the mTLS stack to the OAuth stack for enabling thumbprint confirmation. Section 3.2 of RFC 8705 states:
The protected resource compares that certificate hash to a hash of the client certificate used for mutual-TLS authentication and rejects the request if they do not match. 2. The RFC 8705 has provision of associating client certificate metadata in the form of 'jwks_uri' or 'jwks' with the authorisation server. Section 2.2.2. states > For the Self-Signed Certificate method of binding a certificate with a > client using mutual-TLS client authentication, the existing jwks_uri or > jwks metadata parameters from [RFC7591] are used to convey the client's > certificates via JSON Web Key (JWK) in a JWK Set [RFC7517]. However, the RFC does not spell out any association of 'jwks_uri' or 'jwks' with protected resource servers. Also, as per RFC 7517 'jwks_uri' or 'jwks' is used at application level mostly to validate the signatures of the signed tokens. Is there any update in RFC for TLS to use 'jwks_uri' or 'jwks' as keystores for the client certificates in TLS based authentication mechanism? Section 2 of RFC 7517 states: > For instance, these keys might be used by some applications for validating > signed requests made to the token endpoint when using JWTs for client > authentication 3. It will be great if someone can help with clarity on the above aspects. Regards and Best Wishes Jaimandeep Singh
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
