Certificate-Bound Access Tokens
17.7.1.8. AS-centric AS - Certificate-Bound Access Tokens

Certificate-Bound Access Tokens are a more secure way to authenticate OAuth 2.0 clients. They add a security layer when using access tokens for authorization.

If an OAuth client uses mutual TLS when connecting to the OAuth AS, the AS binds the issue Access Token to the client certificate used client certificate. This is done by storing a hash value of the client certificate as JWT cnf claim. End-points verifying the Access Token may assure that the correct client certificate is used and thus ensure that it is used by the legitimate OAuth Client only.

Registration of a client

  • 1.
    Go to:
    Loginapp >> REST Settings >> Technical Client Registration >> Default Flow
  • 2.
    Verify that the first step of the flow is a Certificate Credential Extraction Step.
  • DCR registered clients using mTLS are stored with certificate credentials for authentication.

Configuration of the Token Endpoint

  • 1.
    Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> Authorization Servers >> {{AS-Id}} >> Token Endpoint
  • 2.
    Configure an OAuth 2.0 Client mTLS Authentication plugin for the Client Authentication setting.
  • Clients must use mTLS to authenticate.
  • 3.
    Set Issue Certificate-Bound Access Tokens to true.
  • JWT access tokens are issued with the cnf claim and the token introspection endpoint (and other endpoints verifying the Access Token may verify the cnf claim.

Further information and links