Re: [OAUTH-WG] RFC 8705: How do we get client certificate from mTLS stack to OAuth stack for thumbprint confirmation

Hi Takahiko, 1. Thx a lot for taking out the time and efforts for the detailed explanation. I especially liked your real world examples for extracting client certificates. I now realize that most of the HTTP servers provide a way for extraction of client certificates. Although, there is a degree o

Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

Hi Karsten, Thx a lot for all the time and effort in explaining the things. This brings up an important discussion point as we are revising OAuth 2.0. Do we need to make the authorization code a temporary token? Section 1.3.1 of the draft RFC states: > An authorization code is a temporary credent

Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

Hi Jaimandeep, I disagree with both of your points. See my comments inline. Best regards, Karsten On 12.08.2022 05:40, Jaimandeep Singh wrote: Hi Mikheil, 1. Well explained by Brain. I will just add my perspective. >From the practical perspective, if the confidential client got a refr