RFC 8705 Deep Dive: Turning Access Tokens into "Unstealable Tokens" with mTLS

Introduction In my previous article exploring RFC 6750 (Bearer Token Usage), I concluded with the following statement: If theft resistance is required, consider DPoP (RFC 9449) or mTLS (RFC 8705) Today, we will take a deep dive into RFC 8705 . In the world of OAuth 2.0, access tokens are fundamentally treated as Bearer Tokens—meaning they are "tokens that grant access to anyone who possesses them." They operate much like cash: if someone steals it from you, it"s gone, and they can spend it. RFC 8705 addresses this inherent vulnerability by providing two distinct approaches utilizing mTLS (Mutual TLS) : mTLS Client Authentication — Authenticating the client using an X.509 certificate instead of a client_secret . Certificate-Bound Access Token — Binding the access token to the client"s certificate, rendering it useless if stolen. It is crucial to understand that these two mechanisms are computationally and conceptually independent. You can use one without the other, or both together. Gra

RFC 8705 Deep Dive: Turning Access Tokens into "Unstealable Tokens" with mTLS

Related Articles

Use Calculation Groups to Eliminate Redundant Measures in Power BI

8 Wireshark Patterns That Instantly Signal Something Is Wrong

Let the commits tell the story

Good CTE, bad CTE

Weekly Digest #264

Related Articles

News
Use Calculation Groups to Eliminate Redundant Measures in Power BI
Medium Programming • 19h ago

News
8 Wireshark Patterns That Instantly Signal Something Is Wrong
Medium Programming • 19h ago

News
Let the commits tell the story
Lobsters • 19h ago

News
Good CTE, bad CTE
Lobsters • 20h ago

News
Weekly Digest #264
Medium Programming • 20h ago