Hello, It appears that issues posted to the issue trackers under the management of https://github.com/oauth-wg/ are automatically shared with the OAuth WG mailing list. However, since it is unclear whether issues posted to the OAuth SPIFFE Client Authentication issue tracker under arndt-s's account are also automatically shared with the OAuth WG, I am posting the same content here as well.
SPIFFE-CLIENT-AUTH ISSUE 29: Client ID for Client Authentication using X509-SVID https://github.com/arndt-s/oauth-spiffe-client-authentication/issues/29 In draft 00 of OAuth SPIFFE Client Authentication, when using Client Authentication with X509-SVID, it requires that the value of the client_id request parameter be the SPIFFE ID. However, I believe this requirement should be removed. The reasons are as follows: - Systems that use the OpenID Federation 1.0 specification cannot use OAuth SPIFFE Client Authentication. - Systems that use the OAuth Client ID Metadata Document specification cannot use OAuth SPIFFE Client Authentication. - Systems in which client IDs cannot be flexibly changed cannot use OAuth SPIFFE Client Authentication. The client authentication method defined in RFC 8705 Section 2.1 works correctly even if the value of the tls_client_auth_san_uri client metadata differs from the client ID. Best Regards, Taka @ Authlete
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
