Question
Is there any kind of support for mutual TLS on VIP Authentication Hub? RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. Is there a scheduled release date for the feature?
I haven't seen any information on VIP Authentication Hub documentation, or option on the Admin Console.
Summary
RFC 8705 describes how to use mutual Transport Layer Security in the context of Oauth2.0
Normally, in TLS only the server presents a certificate to prove its identity to the client (the server is "trusted", the client is "anonymous"). In mutual TLS (mTLS) both, the client and the server present certificates and verify each other.
Key Benefit:
Even if somebody steals your access token, they can't use it unless they also have the private key matching that particular certificate. This is called a "proof of posession" or "certificate bound" token. It drastically reduces the risk of token theft.
Thanks in advanced