Hi,
I agree with Jeff's review comments. I also think client registration, and in particular how to announce support for this client authentication in client metadata and server metadata must be in scope. Discussing proof-of-possession mechanisms for client authentication JWTs in this context is definitely an interesting point but the client-attestation draft may be sufficient for that purpose.
I don't think there is anything SPIFFE-specific in the draft except that it refers to SPIFFE ID and the SPIFFE bundle that basically is a JWKS URI. Maybe it's possible to phrase the guidance in the draft in a way so that it applies to other workload credentials as well.
FYI, with regard to the implementation status, the Curity Identity Server supports client authentication with workload credentials. For evidence see - https://curity.io/docs/idsvr/latest/token-service-admin-guide/mutual-tls.html#subject-alternative-name - https://curity.io/docs/idsvr/latest/token-service-admin-guide/clients.html#workload-identity-support
Best regards, Judith _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
