> SPIFFE Client Authentication with JWT-SVIDs requires the authorization server > to ensure that the SPIFFE ID in the SVID matches the registered value, but > the specification does not define how this verification is to be performed. > If the spiffe_id client metadata is available, the authorization server can > satisfy this requirement by comparing the registered metadata value with the > SPIFFE ID contained in the SVID.
The spiffe_id would mismatch with client_id right? For using it with CIMD? – Emelia > On 20 Feb 2026, at 17:57, Takahiko Kawasaki <[email protected]> wrote: > > Hello, > > SPIFFE-CLIENT-AUTH ISSUE 30: IANA OAuth Parameters for SPIFFE Client > Authentication > https://github.com/arndt-s/oauth-spiffe-client-authentication/issues/30 > > I would like to propose the following IANA OAuth Parameters > <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml> > for SPIFFE Client Authentication: > > OAuth Dynamic Client Registration Metadata > > spiffe_id > spiffe_bundle_endpoint > OAuth Token Endpoint Authentication Methods > > spiffe_jwt > spiffe_x509 > Rationale for spiffe_id > > SPIFFE Client Authentication with JWT-SVIDs requires the authorization server > to ensure that the SPIFFE ID in the SVID matches the registered value, but > the specification does not define how this verification is to be performed. > If the spiffe_id client metadata is available, the authorization server can > satisfy this requirement by comparing the registered metadata value with the > SPIFFE ID contained in the SVID. > > Rationale for spiffe_bundle_endpoint > > Because the location of the SPIFFE Bundle Endpoint cannot be inferred from > the SPIFFE ID or the SVID, it must be preconfigured. However, the > specification does not define how this configuration is to be performed. If > the spiffe_bundle_endpoint client metadata is available, the authorization > server can use it to store the preconfigured value. > > Rationale for spiffe_jwt and spiffe_x509 > > The token_endpoint_auth_method client metadata and the > token_endpoint_auth_methods_supported server metadata require identifiers > representing the new client authentication methods defined by this > specification. > > Best Regards, > Taka @ Authlete > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
