Mutual TLS for OAuth Client Authentication

Mutual TLS is a widely used, secure, authentication technique in enterprise environments to ensure the authenticity of the clients to server and vice versa. It facilitates authentication via certificates followed by the establishment of an encrypted channel between the parties.

The TLS Handshaking Protocol for mutual authentication.

As per the TLS specification, it has three subprotocols that are used to allow peers to agree upon security parameters for the record layer, to authenticate themselves, to instantiate negotiated security parameters, and to report error conditions to each other.

The Handshake Protocol is responsible for negotiating a session which includes the validation of the peer certificate — X509 certificate of the peer.

Server requests a client certificate (as part of the TLS handshake), it will also provide a list of trusted CA’s as part of the certificate request. When the client certificate you wish to present for authentication is not signed by one of these CA’s, the client certificate will not be presented to the server. Also, the certificate can be signed by an intermediate CA “ICA”, and the server can present the client with the root CA “RCA”, and your web browser will still let you pick your certificate even though it’s signed by ICA…