Originally submitted by josephheenan (Joseph Heenan) on 2024-01-13
We are continuing to see ecosystems that adopt FAPI but also mandate the use of MTLS on all endpoints.
Certainly in FAPI1 we have seen this with ConnectID, Brazil, UK and CDR - i.e. all the ecosystems we have certification tests for, but we also have indications that other ecosystems might adopt similar approaches.
If MTLS sender constrained access tokens are used (which is the only option in FAPI1 and I think still a common choice in FAPI2) this potentially only affects a few endpoints:
- Discovery
- Server JWKS
- PAR
Several ecosystems mandate the use of MTLS even when using private_key_jwt. I think it is a ‘Defence in depth’ type approach, with many security teams having a preference for enforcing MTLS at the perimeter but traffic within the perimeter still having some protection (i.e. the client authentication assertion).
The fact that all ecosystems and the main spec diverge in this area is one of the reasons we end up having to create ecosystem specific certification test variants. I think we should discuss it in the WG and consider whether this kind of setup should be included as an option in the specs & certification tests.
(We did sort of discuss this a little bit here: https://bitbucket.org/openid/fapi/issues/493/certification-query-supply-of-tls-client )
Bitbucket status: resolved
Bitbucket origin: issue 670
We are continuing to see ecosystems that adopt FAPI but also mandate the use of MTLS on all endpoints.
Certainly in FAPI1 we have seen this with ConnectID, Brazil, UK and CDR - i.e. all the ecosystems we have certification tests for, but we also have indications that other ecosystems might adopt similar approaches.
If MTLS sender constrained access tokens are used (which is the only option in FAPI1 and I think still a common choice in FAPI2) this potentially only affects a few endpoints:
Several ecosystems mandate the use of MTLS even when using private_key_jwt. I think it is a ‘Defence in depth’ type approach, with many security teams having a preference for enforcing MTLS at the perimeter but traffic within the perimeter still having some protection (i.e. the client authentication assertion).
The fact that all ecosystems and the main spec diverge in this area is one of the reasons we end up having to create ecosystem specific certification test variants. I think we should discuss it in the WG and consider whether this kind of setup should be included as an option in the specs & certification tests.
(We did sort of discuss this a little bit here: https://bitbucket.org/openid/fapi/issues/493/certification-query-supply-of-tls-client )
Bitbucket status: resolved
Bitbucket origin: issue 670