Skip to content

Stronger recommendation for client authentication#68

Open
aaronpk wants to merge 2 commits intomainfrom
aaronpk-patch-1
Open

Stronger recommendation for client authentication#68
aaronpk wants to merge 2 commits intomainfrom
aaronpk-patch-1

Conversation

@aaronpk
Copy link
Member

@aaronpk aaronpk commented Mar 6, 2026

Clarified client credential management and authentication methods in the metadata document.

@aaronpk
Stronger recommendation for client authentication
21719b8 
Clarified client credential management and authentication methods in the metadata document.
aaronpk
aaronpk commented Mar 6, 2026
View reviewed changes
ThisIsMissEm
ThisIsMissEm reviewed Mar 6, 2026
View reviewed changes
draft-ietf-oauth-client-id-metadata-document.md
Comment on lines +270 to +271
Clients that are capable of maintaining private key material and performing client authentication
SHOULD do so with an acceptable method.
Copy link
Contributor

@ThisIsMissEm ThisIsMissEm Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this just explicitly say "e.g., private_key_jwt" ?

Copy link
Member Author

@aaronpk aaronpk Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to leave the door open for other methods in the future

Copy link
Contributor

@ThisIsMissEm ThisIsMissEm Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I can see that... maybe we could reference https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method ?

ThisIsMissEm
ThisIsMissEm reviewed Mar 6, 2026
View reviewed changes
draft-ietf-oauth-client-id-metadata-document.md

The particular method of how the client manages the private key is out of scope of this specification, but may include manual provisioning or methods such as Attestation Based Client Authentication [I-D.draft-ietf-oauth-attestation-based-client-auth]. For example, the client developer could run a Client Attester Backend, using a native application's platform-specific APIs to authenticate to the backend service, where the private key corresponding to the `jwks_uri` key is managed by the backend service. This would allow a mobile app to request JWTs from the backend service that the mobile app could then use as client authentication to the authorization server.
When a client declares `token_endpoint_auth_method` as `private_key_jwt`, the authorization server
MUST require client authentication according to {{Section 2.2 of RFC7523}} using the corresponding key published in the client's metadata document.
Copy link
Contributor

@ThisIsMissEm ThisIsMissEm Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes it sound like we MUST use jwks in the CIMD, instead of jwks_uri (which I think we prefer?)

Copy link
Member Author

@aaronpk aaronpk Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah that was not my intent. maybe "published or referenced"?

Copy link
Contributor

@ThisIsMissEm ThisIsMissEm Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd probably just say "referenced", since embedding is a reference in a way.. maybe "discovered from the client's metadata document" ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThisIsMissEm ThisIsMissEm ThisIsMissEm left review comments

Assignees

No one assigned

Labels

ietf-125

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aaronpk @ThisIsMissEm