OAuth Mutual TLS

OAuth Mutual TLS extends OAuth 2.0 by adding client certificate authentication at the TLS layer. In a standard TLS connection, only the server presents a certificate. With mutual TLS, the client also presents one, and the authorization server verifies it before issuing a token.

The specification defines two modes. In PKI-based authentication, the client certificate is issued by a certificate authority the server trusts. In self-signed certificate authentication, the client registers its certificate (or a thumbprint) with the authorization server in advance.

Beyond client authentication, mTLS supports certificate-bound access tokens. The authorization server records the certificate thumbprint inside the token. The resource server then checks that the presenter’s TLS certificate matches, ensuring the token cannot be used from a different connection.

This transport-layer binding provides strong proof of possession and is a requirement in high-security profiles such as FAPI.

For CIAM, OAuth mTLS is relevant in regulated industries where customer-facing APIs demand certificate-level client authentication and token binding.

Sources

• IETF RFC 8705, OAuth 2.0 Mutual-TLS Client Authentication: https://datatracker.ietf.org/doc/html/rfc8705