The specification currently does not support RP authentication with X.509 certificates that do not have a DNS name.
There can be multiple reasons why an RP may not have a DNS name in their certificates, examples include re-using an existing certificate that does not have a DNS name, an RP certificate issuer that does not want or cannot verify binding to a DNS name or using the same certificate for in-person as well as remote.
Two possible solutions are to add another client identifier scheme, or to not use a client_id when such a certificate is used.
The specification currently does not support RP authentication with X.509 certificates that do not have a DNS name.
There can be multiple reasons why an RP may not have a DNS name in their certificates, examples include re-using an existing certificate that does not have a DNS name, an RP certificate issuer that does not want or cannot verify binding to a DNS name or using the same certificate for in-person as well as remote.
Two possible solutions are to add another client identifier scheme, or to not use a client_id when such a certificate is used.