0

I am reading this OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

I am interested to know how the certificates and public keys are exchanged between the client and the auth server. Maybe in offline mode/manual? or online for example in a post?

So are these actions of the protocol or we must perform them manually?

loutsi1
  • 51
  • 7

1 Answers1

1

As client you can registrate those certificates during OAuths Dynamic Client Registration:

Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol.

The metadata that need to be registrated at the authorization server are specified in the OAuth mTLS RFC in:

katexochen
  • 323
  • 1
  • 8
  • 1
    Welcome to security.SE! Link-only answers are discouraged because they become useless if the link goes dead (which I know is low risk for an RFC link, but still...). This would be a better answer if you copy the relevant parts of those RFCs so that your Answer is self-contained? – Mike Ounsworth Jan 22 '21 at 14:45
  • Hi Mike, thanks for your comment. I think the pages I linked only provide additional information. The *answer* is that "you can registrate those certificates during OAuth Dynamic Client Registration", isn'it? I think I cannot resume the whole client registration, and this is also not what was asked for. The other links provide information on what information to registrate in context of mTLS OAuth, which is additional information as well. If you disagree, pleas make a more concret suggestion what I could improve, thanks. ;) – katexochen Jan 22 '21 at 16:05
  • @Mike Nevertheless, I added a short part from the beginning of the Client Reg RFC, for those who do not know what it is about. But I still do not know what I could cite from the mTLS RFC, since the information is very specific and hardly to understand outside of the full texts context. – katexochen Jan 22 '21 at 16:11