OAuth MTLS Sender Constrained Tokens
RFC 8705 mTLS bound access tokens.
Definition
mTLS client authentication at the token endpoint uses X.509 client certificate presented during TLS handshake. Issued access token contains cnf (confirmation) with x5t#S256 (SHA-256 cert thumbprint). Resource Server verifies that the cert presented during mTLS of the request matches cnf. Alternative to DPoP for token binding, simpler implementation but requires mTLS everywhere.
Origin
IETF OAuth WG, RFC 8705 published February 2020.
Usage
Widely adopted in UK Open Banking FAPI 1.0 Advanced, Brazil Open Finance, regulated financial sectors.
Related terms
- mTLS — mécanisme sous-jacent.
- OAuth DPoP — alternative application layer.
- FAPI 1.0 — profil utilisateur.