dickhardt
commented
3 years ago Unclear why we would prohibit MTLS. The browser could be using MTLS to with the authorization endpoint.
Closed aaronpk closed 3 years ago
dickhardt
commented
3 years ago Unclear why we would prohibit MTLS. The browser could be using MTLS to with the authorization endpoint.
See this thread for context:
https://mailarchive.ietf.org/arch/msg/oauth/I9v_RvsGDHbfIpqwnH4vLXlTCls/
Could be worded to either require the authorization endpoint be "publicly accessible" (for whatever "public" means tho that might be tricky), or to be accessible by the user agent with no other form of authentication needed, or specifically prohibit known lists of things like MTLS.