2.1.2. Client Registration Metadata

In order to convey the expected subject of the certificate, the following metadata parameters are introduced for the OAuth 2.0 Dynamic Client Registration Protocol [RFC7591] in support of the PKI method of mutual-TLS client authentication. A client using the tls_client_auth authentication method MUST use exactly one of the below metadata parameters to indicate the certificate subject value that the authorization server is to expect when authenticating the respective client.

tls_client_auth_subject_dn

A string representation -- as defined in [RFC4514] -- of the expected subject distinguished name of the certificate that the OAuth client will use in mutual-TLS authentication.

tls_client_auth_san_dns

A string containing the value of an expected dNSName SAN entry in the certificate that the OAuth client will use in mutual-TLS authentication.

tls_client_auth_san_uri

A string containing the value of an expected uniformResourceIdentifier SAN entry in the certificate that the OAuth client will use in mutual-TLS authentication.

tls_client_auth_san_ip

A string representation of an IP address in either dotted decimal notation (for IPv4) or colon-delimited hexadecimal (for IPv6, as defined in [RFC5952]) that is expected to be present as an iPAddress SAN entry in the certificate that the OAuth client will use in mutual-TLS authentication. Per Section 8 of [RFC5952], the IP address comparison of the value in this parameter and the SAN entry in the certificate is to be done in binary format.

tls_client_auth_san_email

A string containing the value of an expected rfc822Name SAN entry in the certificate that the OAuth client will use in mutual-TLS authentication.