LLMpediaThe first transparent, open encyclopedia generated by LLMs

RFC 8705

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: JWT Hop 5
Expansion Funnel Raw 44 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted44
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
RFC 8705
Number8705
TitleOAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
AuthorsBenjamin Kaduk, Torsten Lodderstedt, John Bradley
Year2020
StatusStandards Track
OrganizationInternet Engineering Task Force

RFC 8705

RFC 8705 specifies mechanisms for using mutual TLS (mTLS) for OAuth 2.0 client authentication and for binding access tokens to certificates. It defines how OAuth 2.0 clients can authenticate to authorization servers using TLS client certificates and how access tokens can be bound to the TLS layer to mitigate token theft. The document situates itself within the IETF standards development work on OAuth extensions and transport-layer security.

Introduction

RFC 8705 updates and augments the OAuth 2.0 framework by describing two related usages of TLS certificates: mutual-TLS client authentication and certificate-bound access tokens. The specification interacts with prior standards such as OAuth 2.0, Transport Layer Security, and other IETF specifications, and aims to improve security for deployments in environments involving entities like OpenID Foundation, Internet Engineering Task Force, and enterprises using PKI from providers such as Let's Encrypt or commercial CAs like DigiCert.

Background and Motivation

The motivation for RFC 8705 arises from threats to bearer tokens observed in deployments involving entities like Google LLC, Microsoft Corporation, and financial institutions subject to frameworks like Payment Services Directive 2 where token theft can lead to unauthorized access. Existing client authentication methods in OAuth 2.0 (for example, those used by the OAuth 2.0 Authorization Framework and implementations from vendors such as Okta Inc. or Auth0) often rely on shared secrets or bearer tokens. RFC 8705 leverages public-key infrastructure concepts championed by organizations such as Internet Engineering Task Force working groups and standards bodies like World Wide Web Consortium to bind tokens to TLS client certificates, reducing the risk vectors highlighted by incidents involving attackers exploiting token replay in environments like Amazon Web Services or Google Cloud Platform.

Specification and Protocol Details

RFC 8705 defines two principal mechanisms. First, mutual-TLS client authentication allows a client to present an X.509 certificate during the TLS handshake as proof of identity to an authorization server, referencing certificate validation practices documented by bodies such as IETF PKIX Working Group and registries maintained by Internet Assigned Numbers Authority. Second, certificate-bound access tokens are access tokens that include or reference a certificate confirmation (cnf) claim, which ties token usage to the TLS client certificate presented at connection establishment. The specification references algorithms and formats from standards like JSON Web Token, JSON Web Signature, and Public-Key Infrastructure X.509 to represent confirmation material. It prescribes behaviors for endpoints including the authorization endpoint and token endpoint familiar from implementations by vendors like ForgeRock and integrations used by platforms such as Salesforce. RFC 8705 also outlines error handling consistent with prior OAuth profiles adopted by services including GitHub and GitLab.

Security Considerations

Security rationale in RFC 8705 addresses threats cataloged by actors such as National Institute of Standards and Technology in publications related to token handling and by industry breaches involving supply-chain actors. Binding tokens to certificates mitigates token theft, replay, and man-in-the-middle adversaries described in threat analyses by groups like ENISA and modern incident reports by companies like Verizon in their data breach investigations. The document also discusses risks tied to certificate lifecycle management, revocation procedures from infrastructures like Online Certificate Status Protocol and Certificate Revocation List distribution, and operational concerns when using certificate authorities such as Entrust or organizational PKI like that of U.S. Department of Defense for high-assurance deployments.

Implementation and Interoperability

RFC 8705 anticipates implementations across a spectrum of software and services. Server-side implementations appear in products from vendors like NGINX, Apache Software Foundation projects, and identity platforms like Keycloak, while client support is relevant for libraries used in ecosystems around Node.js, Java SE, and .NET Framework. Interoperability testing recommendations draw on practices from IETF test events and conformance efforts analogous to those organized by OpenID Foundation interoperability programs. The spec also considers deployment patterns observed in cloud providers such as Microsoft Azure and Google Cloud Platform, and integration scenarios with access management offerings from companies like Ping Identity and IBM.

IANA Considerations

RFC 8705 includes IANA registration actions for new OAuth parameters and potential registry entries aligned with other IETF registries administered by Internet Assigned Numbers Authority and coordination with registries used by IETF OAuth Working Group. These allocations facilitate consistent use of claim names and token binding identifiers across implementations by vendors including Amazon Web Services, Oracle Corporation, and open-source projects such as Kong.

Category:Internet Standards