%% You should probably cite rfc8705 instead of this I-D. @techreport{ietf-oauth-mtls-11, number = {draft-ietf-oauth-mtls-11}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/11/}, author = {Brian Campbell and John Bradley and Nat Sakimura and Torsten Lodderstedt}, title = {{OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens}}, pagetotal = 22, year = 2018, month = aug, day = 30, abstract = {This document describes OAuth client authentication and certificate bound access tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.}, }