2. Mutual TLS for OAuth Client Authentication

This section defines, as an extension of Section 2.3 of OAuth 2.0 [RFC6749], two distinct methods of using mutual-TLS X.509 client certificates as client credentials. The requirement of mutual TLS for client authentication is determined by the authorization server, based on policy or configuration for the given client (regardless of whether the client was dynamically registered, statically configured, or otherwise established).

In order to utilize TLS for OAuth client authentication, the TLS connection between the client and the authorization server MUST have been established or re-established with mutual-TLS X.509 certificate authentication (i.e., the client Certificate and CertificateVerify messages are sent during the TLS handshake).

For all requests to the authorization server utilizing mutual-TLS client authentication, the client MUST include the client_id parameter described in Section 2.2 of OAuth 2.0 [RFC6749]. The presence of the client_id parameter enables the authorization server to easily identify the client independently from the content of the certificate. The authorization server can locate the client configuration using the client identifier and check the certificate presented in the TLS handshake against the expected credentials for that client. The authorization server MUST enforce the binding between client and certificate, as described in either Section 2.1 or 2.2 below. If no certificate is presented, or that which is presented doesn't match that which is expected for the given client_id, the authorization server returns a normal OAuth 2.0 error response per Section 5.2 of [RFC6749] with the invalid_client error code to indicate failed client authentication.