I think Neil commented once somewhere about maybe seeing value in both at the same time. He's smarter than me so I don't like to contradict him. But I've always thought of them as mutually exclusive. And practically/pragmatically I think it really is one or the other.
On Fri, Nov 12, 2021 at 9:39 AM Dmitry Telegin <dmitryt= [email protected]> wrote: > As an implementer of one binding mechanism (DPoP) for the AS (Keycloak) > that already features another (MTLS), I'm running into the question whether > we should allow those two to be used simultaneously (which could be of > course extrapolated to other hypothetical mechanisms). By "simultaneously" > I mean binding a single token using both methods given that the material > for both has been provided with the request. > > I guess currently mutual exclusivity is implied. Though in theory the > "cnf" section of the AT could contain both "jkt" and "x5t#S256", the > mechanisms are using different values for "token_type" and authentication > scheme ("DPoP" for DPoP, "Bearer" for MTLS, though the latter might change > to "MTLS" in the future) and we define no mechanism to combine them (could > be "Bearer+DPoP" or "DPoP+MTLS" for example, which would be valid as per > RFCs 7230 and 7235). > > I apologize if the question has been asked before; didn't find anything > relevant in the ML. The implementer of MTLS for Keycloak also voted for > mutually exclusive behavior. > > - Dmitry > Backbase / Keycloak > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
