{"id":2056,"date":"2020-03-03T16:29:16","date_gmt":"2020-03-04T00:29:16","guid":{"rendered":"https:\/\/self-issued.info\/?p=2056"},"modified":"2020-03-03T16:30:45","modified_gmt":"2020-03-04T00:30:45","slug":"two-new-oauth-rfcs-mtls-rfc-8705-and-resource-indicators-rfc-8707","status":"publish","type":"post","link":"https:\/\/self-issued.info\/?p=2056","title":{"rendered":"Two New OAuth RFCs:  MTLS (RFC 8705) and Resource Indicators (RFC 8707)"},"content":{"rendered":"<p><span class=\"plain\"><img decoding=\"async\" align=\"right\" alt=\"OAuth logo\" src=\"https:\/\/self-issued.info\/images\/oauth_logo_120x120.png\"><\/span>Two widely used OAuth specifications have recently become RFCs.  Here&#8217;s a bit about both specs.<\/p>\n<p><b><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc8705.html\">RFC 8705<\/a>:  OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens<\/b><\/p>\n<blockquote><p>\nAbstract:  <i>This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client&#8217;s mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.<\/i><\/p><\/blockquote>\n<p>Client certificates are widely used in the financial industry to authenticate OAuth clients.  Indeed, this specification was developed in part because it was needed by the <a href=\"https:\/\/openid.net\/specs\/openid-financial-api-part-2-ID2.html\">OpenID Financial-Grade API (FAPI)<\/a> specifications.  It is in production use by numerous Open Banking deployments today.<\/p>\n<p><b><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc8707.html\">RFC 8707<\/a>:  Resource Indicators for OAuth 2.0<\/b><\/p>\n<blockquote><p>\nAbstract:  <i>This document specifies an extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the identity of the protected resource(s) to which it is requesting access.<\/i><\/p><\/blockquote>\n<p>This specification standardizes the &#8220;<code>resource<\/code>&#8221; request parameter that is used by Azure Active Directory (AAD) V1 to specify the target resource for an OAuth authorization request.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Two widely used OAuth specifications have recently become RFCs. Here&#8217;s a bit about both specs. RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens Abstract: This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28,32,26,14,25],"tags":[],"class_list":["post-2056","post","type-post","status-publish","format-standard","hentry","category-cryptography","category-ietf","category-oauth","category-openid","category-specifications"],"_links":{"self":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2056","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2056"}],"version-history":[{"count":2,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2056\/revisions"}],"predecessor-version":[{"id":2058,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2056\/revisions\/2058"}],"wp:attachment":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2056"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}