AS-centric AS - Certificate-Bound Access Tokens

Certificate-Bound Access Tokens are a more secure way to authenticate OAuth 2.0 clients. They add a security layer when using access tokens for authorization.

If an OAuth client uses mutual TLS when connecting to the OAuth AS, the AS binds the issue Access Token to the client certificate used client certificate. This is done by storing a hash value of the client certificate as JWT cnf claim. End-points verifying the Access Token may assure that the correct client certificate is used and thus ensure that it is used by the legitimate OAuth Client only.

1. Go to:
   Loginapp >> REST Settings >> Technical Client Registration >> Default Flow
2. Verify that the first step of the flow is a Certificate Credential Extraction Step.
3. DCR registered clients using mTLS are stored with certificate credentials for authentication.

1. Go to:
   Loginapp >> OAuth 2.0/OIDC Authorization Servers >> Authorization Servers >> {{AS-Id}} >> Token Endpoint
2. Configure an OAuth 2.0 Client mTLS Authentication plugin for the Client Authentication setting.
3. Clients must use mTLS to authenticate.
4. Set Issue Certificate-Bound Access Tokens to true.
5. JWT access tokens are issued with the cnf claim and the token introspection endpoint (and other endpoints verifying the Access Token may verify the cnf claim.

• See RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens for more information.
• See AS-centric AS - Dynamic client registration configuration for more information on how to configure DCR.
• See AS-centric AS - client credentials grant usage example for an example of how to register a client dynamically.