Skip to contents

Build RFC 8705 mTLS registration metadata

Source: R/mtls_registration.R
oauth_client_mtls_registration.Rd

Returns a JSON-ready list of client metadata for registering an OAuthClient that uses RFC 8705 mutual TLS or requests certificate-bound access tokens.

For token_auth_style = "tls_client_auth", this helper returns token_endpoint_auth_method = "tls_client_auth" plus exactly one RFC 8705 certificate identifier field: tls_client_auth_subject_dn, tls_client_auth_san_dns, tls_client_auth_san_uri, tls_client_auth_san_ip, or tls_client_auth_san_email.

For token_auth_style = "self_signed_tls_client_auth", this helper returns token_endpoint_auth_method = "self_signed_tls_client_auth" plus either an inline jwks document built from the configured client certificate and certificate chain (published via x5c), or a caller-supplied jwks_uri.

For clients that request RFC 8705 certificate-bound access tokens without mTLS OAuth client authentication, this helper returns the runtime token_auth_style mapped back to the dynamic-registration metadata value (for example, public becomes none) and emits tls_client_certificate_bound_access_tokens = TRUE.

This helper prepares metadata only. It does not make a registration HTTP call.

Usage

oauth_client_mtls_registration(
  oauth_client,
  tls_client_auth_type = c("subject_dn", "san_dns", "san_uri", "san_ip", "san_email"),
  tls_client_auth_value = NULL,
  jwks_uri = NULL
)

Arguments

oauth_client

OAuthClient configured for RFC 8705 mutual TLS client authentication or for certificate-bound access tokens.

tls_client_auth_type

For tls_client_auth, which RFC 8705 certificate identifier field to emit. One of "subject_dn", "san_dns", "san_uri", "san_ip", or "san_email".

tls_client_auth_value

Optional explicit value for the selected tls_client_auth_type. When omitted, shinyOAuth derives the subject DN or, when possible, a unique matching SAN value from the configured client certificate. Auto-derived IP SAN values are normalized to dotted-decimal IPv4 or RFC 5952 IPv6 text. If the certificate exposes no unambiguous SAN for the chosen type, pass the exact registration value explicitly.

jwks_uri

Optional absolute URL of a JWKS document to publish for self_signed_tls_client_auth. When omitted, the helper returns an inline jwks object with the configured client certificate chain in x5c.

Value

A JSON-ready list of RFC 7591/RFC 8705 client metadata.