Skip to content
oidc-provider
Search limited to v8.x. Switch to the latest version for up-to-date results.

features.mTLS

This content is for v8.x. Switch to the latest version for up-to-date documentation.

RFC8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS)

Enables specific features from the Mutual TLS specification. The three main features have their own specific setting in this feature’s configuration object and you must provide functions for resolving some of the functions which are deployment-specific.

default value:

{
  certificateAuthorized: [Function: certificateAuthorized], // see expanded details below
  certificateBoundAccessTokens: false,
  certificateSubjectMatches: [Function: certificateSubjectMatches], // see expanded details below
  enabled: false,
  getCertificate: [Function: getCertificate], // see expanded details below
  selfSignedTlsClientAuth: false,
  tlsClientAuth: false
}
(Click to expand) features.mTLS options details

certificateAuthorized

Section titled “certificateAuthorized”

Function used to determine if the client certificate, used in the request, is verified and comes from a trusted CA for the client. Should return true/false. Only used for tls_client_auth client authentication method.

default value:

function certificateAuthorized(ctx) {
  throw new Error('features.mTLS.certificateAuthorized function not configured');
}

certificateBoundAccessTokens

Section titled “certificateBoundAccessTokens”

Enables section 3 & 4 Mutual TLS Client Certificate-Bound Tokens by exposing the client’s tls_client_certificate_bound_access_tokens metadata property.

default value:

false

certificateSubjectMatches

Section titled “certificateSubjectMatches”

Function used to determine if the client certificate, used in the request, subject matches the registered client property. Only used for tls_client_auth client authentication method.

default value:

function certificateSubjectMatches(ctx, property, expected) {
  throw new Error('features.mTLS.certificateSubjectMatches function not configured');
}

getCertificate

Section titled “getCertificate”

Function used to retrieve a crypto.X509Certificate instance, or a PEM-formatted string, representation of client certificate used in the request.

default value:

function getCertificate(ctx) {
  throw new Error('features.mTLS.getCertificate function not configured');
}

selfSignedTlsClientAuth

Section titled “selfSignedTlsClientAuth”

Enables section 2.2. Self-Signed Certificate Mutual TLS client authentication method self_signed_tls_client_auth for use in the server’s clientAuthMethods configuration.

default value:

false

tlsClientAuth

Section titled “tlsClientAuth”

Enables section 2.1. PKI Mutual TLS client authentication method tls_client_auth for use in the server’s clientAuthMethods configuration.

default value:

false