2.2.2. Client Registration Metadata

For the Self-Signed Certificate method of binding a certificate with a client using mutual-TLS client authentication, the existing jwks_uri or jwks metadata parameters from [RFC7591] are used to convey the client's certificates via JSON Web Key (JWK) in a JWK Set [RFC7517]. The jwks metadata parameter is a JWK Set containing the client's public keys as an array of JWKs, while the jwks_uri parameter is a URL that references a client's JWK Set. A certificate is represented with the x5c parameter of an individual JWK within the set. Note that the members of the JWK representing the public key (e.g., n and e for RSA, x and y for Elliptic Curve (EC)) are required parameters per [RFC7518] so will be present even though they are not utilized in this context. Also note that Section 4.7 of [RFC7517] requires that the key in the first certificate of the x5c parameter match the public key represented by those other members of the JWK.