[OAUTH-WG] Re: IANA OAuth Parameters for SPIFFE Client Authentication

[Lombardo, Jeff]

Would not a client_alternate_id be a better option that spiffe_id?

WIMSE is coming next, there might not be a specific constraint in between a 
wimse id and an OAuth client id. A more generic approach would solve the case 
for any existing, in development, and potentially future specs.

Jean-François “Jeff” Lombardo | Amazon Web Services

Architecte Principal de Solutions, Spécialiste de Sécurité
Principal Solution Architect, Security Specialist
Montréal, Canada

Commentaires à propos de notre échange? Exprimez-vous 
ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

Thoughts on our interaction? Provide feedback 
here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

From: Takahiko Kawasaki <t...@authlete.com>
Sent: February 20, 2026 12:34 PM
To: Aaron Parecki <aa...@parecki.com>
Cc: Emelia S. <eme...@brandedcode.com>; oauth <oauth@ietf.org>; Lombardo, Jeff 
<jeff...@amazon.com>
Subject: RE: [EXT] [OAUTH-WG] Re: IANA OAuth Parameters for SPIFFE Client 
Authentication


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.


AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne 
cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas 
confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le 
contenu ne présente aucun risque.

Hi Aaron,

Yes, what I expect the Client ID Metadata Document to contain is as follows:
"token_endpoint_auth_method": "spiffe_jwt" or "spiffe_x509",
"spiffe_id": 
"spiffe://example.org/my-oauth-client<http://example.org/my-oauth-client>",
"spiffe_bundle_endpoint": "https://example.org/bundle";



On Sat, Feb 21, 2026 at 2:17 AM Lombardo, Jeff 
<jeffsec=40amazon....@dmarc.ietf.org<mailto:40amazon....@dmarc.ietf.org>> wrote:
I concur on this strategy being the one that can rule all the cases [and in the 
light binds them].

When using CIMD, it must become the source of truth for a client_id and all its 
possible aliases.

Jean-François “Jeff” Lombardo | Amazon Web Services

Architecte Principal de Solutions, Spécialiste de Sécurité
Principal Solution Architect, Security Specialist
Montréal, Canada
Commentaires à propos de notre échange? Exprimez-vous 
ici<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

Thoughts on our interaction? Provide feedback 
here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

From: Aaron Parecki 
<aaron=40parecki....@dmarc.ietf.org<mailto:40parecki....@dmarc.ietf.org>>
Sent: February 20, 2026 12:09 PM
To: Emelia S. 
<emelia=40brandedcode....@dmarc.ietf.org<mailto:40brandedcode....@dmarc.ietf.org>>
Cc: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: [EXT] [OAUTH-WG] Re: IANA OAuth Parameters for SPIFFE Client 
Authentication


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.


AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne 
cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas 
confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le 
contenu ne présente aucun risque.

It sounds like the CIMD would publish the `spiffe_id` in the metadata, that way 
the SPIFFE-ID in the SVID can be validated against the value in the CIMD? That 
sounds like it would work.

On Fri, Feb 20, 2026 at 9:06 AM Emelia S. 
<emelia=40brandedcode....@dmarc.ietf.org<mailto:40brandedcode....@dmarc.ietf.org>>
 wrote:
> SPIFFE Client Authentication with JWT-SVIDs requires the authorization server 
> to ensure that the SPIFFE ID in the SVID matches the registered value, but 
> the specification does not define how this verification is to be performed. 
> If the spiffe_id client metadata is available, the authorization server can 
> satisfy this requirement by comparing the registered metadata value with the 
> SPIFFE ID contained in the SVID.
The spiffe_id would mismatch with client_id right? For using it with CIMD?

– Emelia


On 20 Feb 2026, at 17:57, Takahiko Kawasaki 
<t...@authlete.com<mailto:t...@authlete.com>> wrote:

Hello,

SPIFFE-CLIENT-AUTH ISSUE 30: IANA OAuth Parameters for SPIFFE Client 
Authentication
https://github.com/arndt-s/oauth-spiffe-client-authentication/issues/30


I would like to propose the following IANA OAuth 
Parameters<https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml>
 for SPIFFE Client Authentication:

OAuth Dynamic Client Registration Metadata

  *   spiffe_id
  *   spiffe_bundle_endpoint

OAuth Token Endpoint Authentication Methods

  *   spiffe_jwt
  *   spiffe_x509

Rationale for spiffe_id

SPIFFE Client Authentication with JWT-SVIDs requires the authorization server 
to ensure that the SPIFFE ID in the SVID matches the registered value, but the 
specification does not define how this verification is to be performed. If the 
spiffe_id client metadata is available, the authorization server can satisfy 
this requirement by comparing the registered metadata value with the SPIFFE ID 
contained in the SVID.

Rationale for spiffe_bundle_endpoint

Because the location of the SPIFFE Bundle Endpoint cannot be inferred from the 
SPIFFE ID or the SVID, it must be preconfigured. However, the specification 
does not define how this configuration is to be performed. If the 
spiffe_bundle_endpoint client metadata is available, the authorization server 
can use it to store the preconfigured value.

Rationale for spiffe_jwt and spiffe_x509
The token_endpoint_auth_method client metadata and the 
token_endpoint_auth_methods_supported server metadata require identifiers 
representing the new client authentication methods defined by this 
specification.

Best Regards,
Taka @ Authlete

_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to 
oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>

_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to 
oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>
_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to 
oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>


--
Takahiko Kawasaki
Co-Founder
t...@authlete.com<mailto:t...@authlete.com>
[Authlete]
authlete.com<https://www.authlete.com/> 
|Linkedin<https://www.linkedin.com/company/authlete/>

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org