OAuth 2.0 client authentication over TLS with X.509 certificates

The existing standard methods for an OAuth 2.0 client to authenticate with an authorisation server is HTTP basic authentication or a JWT assertion (signed or HMAC-protected).

To address the requirements of fintech and open banking apps, where TLS certificate-based authentication is mandated by law, the OAuth WG is putting
together a new spec.

This spec also defines a neat security enhancement: The issued access token includes a hash (thumbprint) that binds it to the client’s certificate, preventing misuse of the token if it’s accidentally leaked or stolen.

JWT-secured authorisation requests

JWT secured requests were originally introduced in OpenID Connect. The OAuth WG is currently completing a spec for their general use in OAuth 2.0.

Token exchange

The OAuth 2.0 Token Exchange spec defines an STS API for obtaining tokens as well as implementing impersonation and delegation use cases.

The token exchange spec will be implemented once it becomes final or sufficiently stable.

OAuth 2.0 Device Flow

For browser-less and input-constrained devices, such as smart TVs, media consoles and printers. The spec is still in development.