features.mTLS
RFC8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS)
Specifies whether Mutual TLS capabilities shall be enabled. The authorization server supports three distinct capabilities that require separate configuration settings within this feature’s configuration object. Implementations MUST provide deployment-specific helper functions for certificate validation and processing operations.
default value:
{ certificateAuthorized: [Function: certificateAuthorized], // see expanded details below certificateBoundAccessTokens: false, certificateSubjectMatches: [Function: certificateSubjectMatches], // see expanded details below enabled: false, getCertificate: [Function: getCertificate], // see expanded details below selfSignedTlsClientAuth: false, tlsClientAuth: false}(Click to expand) features.mTLS options details
certificateAuthorized
Section titled “certificateAuthorized”Specifies a helper function that shall be invoked to determine whether the client certificate used in the request is verified and originates from a trusted Certificate Authority for the requesting client. This function MUST return a boolean value indicating certificate authorization status. This validation is exclusively used for the tls_client_auth client authentication method.
default value:
function certificateAuthorized(ctx) { throw new Error('features.mTLS.certificateAuthorized function not configured');}certificateBoundAccessTokens
Section titled “certificateBoundAccessTokens”Specifies whether Certificate-Bound Access Tokens shall be enabled as defined in RFC 8705 sections 3 and 4. When enabled, the authorization server shall expose the client’s tls_client_certificate_bound_access_tokens metadata property for mutual TLS certificate binding functionality.
default value:
falsecertificateSubjectMatches
Section titled “certificateSubjectMatches”Specifies a helper function that shall be invoked to determine whether the client certificate subject used in the request matches the registered client property according to authorization server policy. This function MUST return a boolean value indicating subject matching status. This validation is exclusively used for the tls_client_auth client authentication method.
default value:
function certificateSubjectMatches(ctx, property, expected) { throw new Error('features.mTLS.certificateSubjectMatches function not configured');}getCertificate
Section titled “getCertificate”Specifies a helper function that shall be invoked to retrieve the client certificate used in the current request. This function MUST return either a crypto.X509Certificate instance or a PEM-formatted string representation of the client certificate for mutual TLS processing.
default value:
function getCertificate(ctx) { throw new Error('features.mTLS.getCertificate function not configured');}selfSignedTlsClientAuth
Section titled “selfSignedTlsClientAuth”Specifies whether Self-Signed Certificate Mutual TLS client authentication shall be enabled as defined in RFC 8705 section 2.2. When enabled, the authorization server shall support the self_signed_tls_client_auth authentication method within the server’s clientAuthMethods configuration.
default value:
falsetlsClientAuth
Section titled “tlsClientAuth”Specifies whether PKI Mutual TLS client authentication shall be enabled as defined in RFC 8705 section 2.1. When enabled, the authorization server shall support the tls_client_auth authentication method within the server’s clientAuthMethods configuration.
default value:
false