1. Introduction
The OAuth 2.0 Authorization Framework [RFC6749] enables third-party client applications to obtain delegated access to protected resources. In the prototypical abstract OAuth flow, illustrated in Figure 1, the client obtains an access token from an entity known as an authorization server and then uses that token when accessing protected resources, such as HTTPS APIs.
+--------+ +---------------+
| | | |
| |<--(A)-- Get an access token --->| Authorization |
| | | Server |
| | | |
| | +---------------+
| | ^
| | |
| |
| | (C) |
| Client | Validate the
| | access token |
| |
| | |
| | v
| | +---------------+
| | | (C) |
| | | |
| |<--(B)-- Use the access token -->| Protected |
| | | Resource |
| | | |
+--------+ +---------------+
Figure 1: Abstract OAuth 2.0 Protocol Flow
The flow illustrated in Figure 1 includes the following steps:
(A) The client makes an HTTPS "POST" request to the authorization server and presents a credential representing the authorization grant. For certain types of clients (those that have been issued or otherwise established a set of client credentials) the request must be authenticated. In the response, the authorization server issues an access token to the client.
(B) The client includes the access token when making a request to access a protected resource.
(C) The protected resource validates the access token in order to authorize the request. In some cases, such as when the token is self-contained and cryptographically secured, the validation can be done locally by the protected resource. Other cases require that the protected resource call out to the authorization server to determine the state of the token and obtain metainformation about it.
Layering on the abstract flow above, this document standardizes enhanced security options for OAuth 2.0 utilizing client-certificate-based mutual TLS. Section 2 provides options for authenticating the request in Step (A). Step (C) is supported with semantics to express the binding of the token to the client certificate for both local and remote processing in Sections 3.1 and 3.2, respectively. This ensures that, as described in Section 3, protected resource access in Step (B) is only possible by the legitimate client using a certificate-bound token and holding the private key corresponding to the certificate.
OAuth 2.0 defines a shared-secret method of client authentication but also allows for defining and using additional client authentication mechanisms when interacting directly with the authorization server. This document describes an additional mechanism of client authentication utilizing mutual-TLS certificate-based authentication that provides better security characteristics than shared secrets. While [RFC6749] documents client authentication for requests to the token endpoint, extensions to OAuth 2.0 (such as Introspection [RFC7662], Revocation [RFC7009], and the Backchannel Authentication Endpoint in [OpenID.CIBA]) define endpoints that also utilize client authentication, and the mutual-TLS methods defined herein are applicable to those endpoints as well.
Mutual-TLS certificate-bound access tokens ensure that only the party in possession of the private key corresponding to the certificate can utilize the token to access the associated resources. Such a constraint is sometimes referred to as key confirmation, proof-of-possession, or holder-of-key and is unlike the case of the bearer token described in [RFC6750], where any party in possession of the access token can use it to access the associated resources. Binding an access token to the client's certificate prevents the use of stolen access tokens or replay of access tokens by unauthorized parties.
Mutual-TLS certificate-bound access tokens and mutual-TLS client authentication are distinct mechanisms that are complementary but don't necessarily need to be deployed or used together.
Additional client metadata parameters are introduced by this document in support of certificate-bound access tokens and mutual-TLS client authentication. The authorization server can obtain client metadata via the Dynamic Client Registration Protocol [RFC7591], which defines mechanisms for dynamically registering OAuth 2.0 client metadata with authorization servers. Also the metadata defined by [RFC7591], and registered extensions to it, imply a general data model for clients that is useful for authorization server implementations, even when the Dynamic Client Registration Protocol isn't in play. Such implementations will typically have some sort of user interface available for managing client configuration.