Dear OAuth community, Deploying confidential OAuth clients typically requires developers to manage and rotate client secrets issued by the OAuth Authorization Server. Whilst this simple approach offers the quickest and easiest experience for workload developers it creates security risks that many corporate environments want to avoid. With RFC 7521/7523 a framework has been created that sets the tone for client authentication on the basis of outside credentials; adopting it is not necessarily straightforward as many deployment aspects such as key distribution are not covered.
Pieter Kasselmann and I have developed a profile of this framework specifically for SPIFFE <https://spiffe.io/> (Secure Production Identity Framework For Everyone) which allows clients that are already in possession of a SPIFFE credential to use that as client authentication against OAuth Authorization Servers. The draft covers the actual authentication part, but also looks at trust establishment, key discovery and validation. We're hoping to be able to present this draft at one of the OAuth sessions in Madrid and are looking for feedback from the OAuth community. The draft can be found at https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/ . Kind regards, Arndt ---------- Forwarded message --------- From: <internet-dra...@ietf.org> Date: Tue, Jul 1, 2025 at 9:30 AM Subject: New Version Notification for draft-schwenkschuster-oauth-spiffe-client-auth-00.txt To: Arndt Schwenkschuster <arndts.i...@gmail.com>, Pieter Kasselmann < pie...@spirl.com> A new version of Internet-Draft draft-schwenkschuster-oauth-spiffe-client-auth-00.txt has been successfully submitted by Arndt Schwenkschuster and posted to the IETF repository. Name: draft-schwenkschuster-oauth-spiffe-client-auth Revision: 00 Title: OAuth SPIFFE Client Authentication Date: 2025-07-01 Group: Individual Submission Pages: 16 URL: https://www.ietf.org/archive/id/draft-schwenkschuster-oauth-spiffe-client-auth-00.txt Status: https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/ HTML: https://www.ietf.org/archive/id/draft-schwenkschuster-oauth-spiffe-client-auth-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-schwenkschuster-oauth-spiffe-client-auth Abstract: This specification profiles the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [RFC7521] and JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants [RFC7523] to enable the use of SPIFFE Verifiable Identity Documents (SVIDs) as client credentials in OAuth 2.0. It defines how OAuth clients with SPIFFE credentials can authenticate to OAuth authorization servers using their JWT-SVIDs or X.509-SVIDs without the need for client secrets. This approach enhances security by enabling seamless integration between SPIFFE-enabled workloads and OAuth authorization servers while eliminating the need to distribute and manage shared secrets such as static client secrets. The IETF Secretariat
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
