Skip to content

feat: RFC 8705 mTLS Client Authentication #837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tatac1 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: RFC 8705 mTLS Client Authentication #837

tatac1 wants to merge 2 commits into from

Conversation

@tatac1
Copy link

@tatac1 tatac1 commented Jan 15, 2026

Closes #836

Summary

Implementation of RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens).

Features

  • Client Authentication Methods
    • tls_client_auth - PKI-based client authentication with CA chain validation
    • self_signed_tls_client_auth - Self-signed certificate authentication
  • Certificate-Bound Access Tokens - cnf claim with x5t#S256 thumbprint
  • Discovery Metadata - mTLS endpoint support in OIDC discovery

Changes

  • New pkg/op/mtls.go with core mTLS implementation (~714 lines)
  • Comprehensive test suite in pkg/op/mtls_test.go (114 tests)
  • Integration with Token, Introspection, UserInfo, and Revocation endpoints
  • Discovery configuration for mTLS auth methods

Test plan

  • Unit tests for certificate validation (CA chain, OID, Subject DN/SAN)
  • Unit tests for self-signed certificate authentication
  • Unit tests for certificate-bound token generation and verification
  • Integration tests for all OAuth flows with mTLS
  • CI tests

@tatac1
feat(op): implement RFC 8705 mTLS client authentication
f4e8f5f 
Implement OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound
Access Tokens as specified in RFC 8705.

Features:
- tls_client_auth: PKI-based client authentication with CA chain validation
- self_signed_tls_client_auth: Self-signed certificate authentication
- Certificate-bound access tokens with cnf claim (x5t#S256)
- Policy OID and EKU validation support
- Reverse proxy certificate header support
- LRU caching for DN parsing and thumbprint calculation
- Discovery metadata output (tls_client_certificate_bound_access_tokens,
  mtls_endpoint_aliases)

Token endpoints with mTLS support:
- Token endpoint (code exchange, refresh, client_credentials)
- Token exchange endpoint
- JWT profile endpoint
- Introspection endpoint
- Revocation endpoint
- UserInfo endpoint (certificate-bound token verification)

Security:
- Fail-closed model for mTLS clients
- Startup validation of MTLSConfig
- Certificate chain validation against Trust Store
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

os-contribution

Projects

Product Management
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: RFC 8705 mTLS Client Authentication

2 participants

@tatac1 @hifabienne