Feature Request: RFC 8705 mTLS Client Authentication

[tatac1]

Preflight Checklist

• I could not find a solution in the existing issues, docs, nor discussions
• I have joined the ZITADEL chat

Describe your problem

The OIDC library currently does not support RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens). This standard is increasingly required for high-security environments, particularly in financial services (FAPI) and healthcare industries.

Describe your ideal solution

Implement RFC 8705 support with the following features:

Client Authentication Methods:

• tls_client_auth - PKI-based client authentication with CA chain validation, Subject DN/SAN matching
• self_signed_tls_client_auth - Self-signed certificate authentication via thumbprint comparison

Certificate-Bound Access Tokens:

• Include cnf claim with x5t#S256 (SHA-256 certificate thumbprint) in access tokens
• Verify certificate binding at introspection and userinfo endpoints

Discovery Metadata:

• tls_client_certificate_bound_access_tokens
• mtls_endpoint_aliases
• Auth methods in token_endpoint_auth_methods_supported

Key Design Decisions:

• Use optional interfaces (HasMTLSConfig, HasSelfSignedCertificate) for backward compatibility
• Support both direct TLS certificate extraction and reverse proxy headers (X-Client-Cert)
• Support Policy OID and Extended Key Usage validation (optional)
• Global Trust Store with optional per-client override

Implementation

I have a working implementation ready:

• Core mTLS implementation (~714 lines)
• Comprehensive test suite (114 tests)
• Integration with Token, Introspection, UserInfo, and Revocation endpoints

Happy to submit a PR if this feature aligns with the project's roadmap.

Version

v3.x

Environment

Self-hosted

Additional Context

RFC 8705: https://www.rfc-editor.org/rfc/rfc8705.html

Related standards:

• FAPI 2.0 requires mTLS for sender-constrained tokens
• OpenID Connect for Identity Assurance recommends certificate-bound tokens