Hello, *SPIFFE-CLIENT-AUTH ISSUE 30: IANA OAuth Parameters for SPIFFE Client Authentication* https://github.com/arndt-s/oauth-spiffe-client-authentication/issues/30
I would like to propose the following IANA OAuth Parameters <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml> for SPIFFE Client Authentication: OAuth Dynamic Client Registration Metadata - spiffe_id - spiffe_bundle_endpoint OAuth Token Endpoint Authentication Methods - spiffe_jwt - spiffe_x509 Rationale for spiffe_id SPIFFE Client Authentication with JWT-SVIDs requires the authorization server to ensure that the SPIFFE ID in the SVID matches the registered value, but the specification does not define how this verification is to be performed. If the spiffe_id client metadata is available, the authorization server can satisfy this requirement by comparing the registered metadata value with the SPIFFE ID contained in the SVID. Rationale for spiffe_bundle_endpoint Because the location of the SPIFFE Bundle Endpoint cannot be inferred from the SPIFFE ID or the SVID, it must be preconfigured. However, the specification does not define how this configuration is to be performed. If the spiffe_bundle_endpoint client metadata is available, the authorization server can use it to store the preconfigured value. Rationale for spiffe_jwt and spiffe_x509 The token_endpoint_auth_method client metadata and the token_endpoint_auth_methods_supported server metadata require identifiers representing the new client authentication methods defined by this specification. Best Regards, Taka @ Authlete
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
