]> Defakto Security

arndts.ietf@gmail.com

Defakto Security

pieter@defakto.security

NIST

scott.rose@nist.gov

IBM

sthorger@ibm.com

Cisco Systems

ncamwing@cisco.com

sec Web Authorization Protocol workload identity credential exchange This specification profiles the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants , the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants , and OAuth 2.0 Attestation-Based Client Authentication to enable the use of SPIFFE Verifiable Identity Documents (SVIDs) as client credentials in OAuth 2.0. It defines how OAuth clients with SPIFFE credentials can authenticate to OAuth authorization servers using their JWT-SVIDs, WIT-SVIDs, or X.509-SVIDs without the need for client secrets. This approach enhances security by enabling seamless integration between SPIFFE-enabled workloads and OAuth authorization servers while eliminating the need to distribute and manage shared secrets such as static client secrets. About This Document Status information for this document may be found at . Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Traditional OAuth client authentication typically relies on client secrets or private key JWT authentication, both require an out of band distribution of secret material to the OAuth client. In modern cloud-native architectures where identity is managed by SPIFFE (Secure Production Identity Framework for Everyone), there is a need to provision additional secret material for OAuth clients when attested identifiers and credentials such as SVIDs are already available. This specification profiles the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants to allow SPIFFE-enabled workloads to use their SPIFFE Verifiable Identity Documents (SVIDs), either X.509 certificates or JSON Web Tokens (JWT-SVID & WIT-SVID), as client credentials for OAuth 2.0 client authentication. JWT-SVIDs make use of a profiled version of the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants . WIT-SVIDs make use of the OAuth 2.0 Attestation-Based Client Authentication . This profile focuses on using SPIFFE credentials for OAuth client authentication. The SPIFFE profile for client authentication enables seamless integration between SPIFFE-based and OAuth-based systems, allowing applications to leverage both ecosystems without requiring additional credential management. It also enables a more secure authentication method by leveraging cryptographically verifiable credentials rather than shared secrets.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology This specification uses the terms defined in OAuth 2.0 , the Assertion Framework for OAuth 2.0 , the JWT profile of it , and the SPIFFE specifications. In particular, the following terms are particularly relevant: Trust Domain: As defined in SPIFFE; A trust domain represents a single trust root. All SVIDs issued within a trust domain are verifiable via the trust domain's keys. SPIFFE ID: A unified resource identifier that uniquely and specifically identifies a workload using the spiffe scheme. See for details. SVID: A SPIFFE Verifiable Identity Document. This document specifies the use of three types of SVIDs:

• X.509-SVID: An X.509 certificate that contains a SPIFFE ID in the URI SAN extension. See for details.
• JWT-SVID: A JSON Web Token (JWT) that contains a SPIFFE ID in the sub claim. See for details.
• WIT-SVID: WIT-SVID: A WIMSE Workload Identity Token (WIT) that contains a SPIFFE ID in the sub claim. See for details.

SPIFFE Bundle: A collection of public keys and associated metadata that allow validation of SVIDs issued by a trust domain. SPIFFE Bundle Endpoint: A URL that serves a SPIFFE bundle for a trust domain.

OAuth Client Authentication Using SPIFFE This section describes how SPIFFE identity documents can be used for OAuth 2.0 client authentication, following the patterns established in and, in case of JWT-SVID . OAuth 2.0 client authentication is used to authenticate the client to the authorization server when making requests to the token endpoint. When using SPIFFE for client authentication, the client presents its SVID (JWT-SVID, WIT-SVID, or X.509-SVID) to prove its identity.

Client Authentication with JWT-SVIDs JWT-SVID based authentication naturally follows the JWT Profile for OAuth 2.0 Client Authentication , with specific adaptations for SPIFFE JWT-SVIDs. remains valid. To identify the assertion content as a JWT-SVID this specification establishes the following client assertion type as an OAuth URI according to : Based on the following request parameters MUST be present to perform client authentication in the context of this specification:

• client_assertion_type: MUST be set to urn:ietf:params:oauth:client-assertion-type:jwt-spiffe.
• client_assertion: MUST be a single SPIFFE JWT-SVID.

To validate JWT-SVID client authentication requests the authorization server MUST:

1. Verify that the JWT is well-formed and contains all required claims (SPIFFE ID in sub, aud, and exp).
2. Verify that the JWT has not expired (check the exp claim).
3. Verify that the aud claim contains only the issuer identifier of the authorization server as its sole value. See for details.
4. Verify the JWT signature using the signing keys of the trust domains according to .
5. Verify that the SPIFFE ID in the sub claim matches or is associated with a recognized client identifier. If the client authentication is presented with a client_id that is a URL described in , verify that the SPIFFE ID in the sub claim matches the spiffe_id value in the Client ID Metadata Document as described in .

JWT-SVID example The following examples illustrates an authorization_code request to the token endpoint of an OAuth 2.0 authorization server leveraging a SPIFFE JWT-SVID to authenticate the client. For clarity, the SPIFFE-JWT header and body decoded:

JWT-SVID example with Client ID Metadata Document The following example illustrates a client_credentials request to the token endpoint of an OAuth 2.0 authorization server leveraging a SPIFFE JWT-SVID to authenticate the client. For clarity, the SPIFFE-JWT header and body decoded: The client_id points to a Client ID Metadata Document () with the following contents:

Client Authentication using X509-SVID X.509-SVID based authentication uses mutual TLS as defined in OAuth 2.0 Mutual-TLS Client Authentication , with specific adaptations for SPIFFE X.509-SVIDs. To authenticate using an X.509-SVID, the client establishes a mutual TLS connection with the authorization server using its X.509-SVID as the client certificate. The authorization server validates the client certificate as an X.509-SVID and extracts the SPIFFE ID from the URI SAN. The server certificate MUST be validated by the client using its system trust store, and NOT the SPIFFE trust bundle. The request MUST include the client_id parameter containing the SPIFFE-ID of the client. It MUST match the URI SAN of the presented X509-SVID client credential. The server validates the client certificates according the following rules

1. Perform standard X.509 path validation against the trust anchors according to .
2. Verify that the certificate contains exactly one URI SAN with a valid SPIFFE ID.
3. Verify that the certificate is a leaf certificate (Basic Constraints extension has CA=FALSE).
4. Verify that the certificate has the digitalSignature key usage bit set.
5. Verify that the SPIFFE ID in the URI SAN matches a registered client identifier or is associated with a registered client identifier.

X509-SVID Example The following request uses a refresh token to obtain a new access token. The client is spiffe://example.org/my-oauth-client and is authenticated by performing this request over a mutual TLS connection. For clarity, the presented X509-SVID client certificate to the server decoded via openssl x509 -text is:

Client Authentication with WIT-SVIDs A WIT-SVID is a WIMSE Workload Identity Token (WIT) as defined in that contains a SPIFFE ID in the sub claim . It uses OAuth 2.0 Attestation-Based Client Authentication for client authentication. A WIT-SVID as issued by a SPIFFE implementation binds a key pair held by the client via the cnf claim. The key pair bound to the WIT-SVID is used to generate an attestation proof during client authentication. The attestation proof is in the form of a "Client Attestation PoP JWT" as defined in that is issued by the client and signed with the private part of the key pair bound in the WIT-SVID. The WIT-SVID and the corresponding Client Attestation PoP JWT are sent together to the authorization server as a means of client authentication using the HTTP header-based syntax defined in Section 6.1 of .

Authorization Server Validation To validate a WIT-SVID client authentication request, the authorization server MUST apply the following rules:

• The authorization server MUST accept wit+jwt as a valid value of the typ JWT header parameter in the OAuth-Client-Attestation header, in addition to oauth-client-attestation+jwt.
• The WIT-SVID MUST be validated as a Workload Identity Token according to Section 3.1 of .
• The WIT-SVID signature MUST be verified using the signing keys of the trust domain according to .
• The Client Attestation PoP JWT MUST be validated according to Section 5.2 of .

• TODO: What to do with attest_jwt_client_auth method in AS metadata?

WIT-SVID Example The following example illustrates a token request using a WIT-SVID and a Client Attestation PoP JWT for client authentication. The WIT-SVID (OAuth-Client-Attestation) header and body decoded: The Client Attestation PoP JWT (OAuth-Client-Attestation-PoP) header and body decoded: The token endpoint request:

Interoperability In order to achieve interoperability between the authorization server and clients the authorization server MUST advertise what client authentication methods are supported. Authorization servers MUST support at least one of JWT-SVID, X509-SVID or WIT-SVID. The methods supported MUST be advertised in the authorization servers metadata by including spiffe_jwt, spiffe_wit and/or spiffe_x509 in the token_endpoint_auth_methods_supported list. Additionally, the same should be included in revocation_endpoint_auth_methods_supported and introspection_endpoint_auth_methods_supported when applicable. Clients MUST support at least one of JWT-SVID, X509-SVID or WIT-SVID. To guarantee interoperability a client SHOULD support all. It is the responsibility of the client to select the authentication method supported by the authorization server and its deployment.

SPIFFE Trust Establishment and Client Registration This specification requires previously established trust between the OAuth 2.0 Authorization Server and the SPIFFE Trust Domain. This needs to happen out of band and is not in scope of this specification. However, the mechanisms of key distribution is in scope and described in . Similar to the trust establishment, corresponding OAuth clients need to be registered when using SPIFFE credentials for client authentication. OAuth client registration may leverage Client ID Metadata Documents , OAuth 2.0 Dynamic Client Registration or configure them out of band.

Client Registration Metadata This specification defines the following client metadata parameters for use in Client ID Metadata Documents :

spiffe_id

REQUIRED. The SPIFFE ID of the client, e.g. spiffe://example.org/my-oauth-client. The value MAY include a trailing /* character sequence (e.g. spiffe://example.org/workloads/*) indicating that a prefix match against the SPIFFE ID in the sub claim of the JWT-SVID is acceptable rather than requiring an exact match.

spiffe_bundle_endpoint

OPTIONAL. The URL of the SPIFFE Bundle Endpoint for the client's trust domain, which the authorization server can use to retrieve the signing keys for validating the client's SVIDs. If not provided, the authorization server MUST obtain the signing keys for the client's trust domain through some other established mechanism, such as a pre-configured SPIFFE bundle.

If the spiffe_id value uses a wildcard, it MUST end with the two-character sequence "/*". In this case, the authorization server MUST perform a path-segment prefix match: the sub claim value MUST begin with the spiffe_id value excluding the trailing "*" (i.e., up to and including the final "/"), and this prefix MUST correspond to complete path segment(s) of the SPIFFE ID (for example, spiffe://example.org/client/* matches spiffe://example.org/client/123 but does not match spiffe://example.org/client123). Otherwise, the sub claim MUST be an exact match of the spiffe_id value.

SPIFFE Key Distribution and Validation This section describes how an authorization server verifies the signature of an X509 or JWT-SVID. It recommends two SPIFFE-native approaches. Trust bundles in general MUST be keyed by the trust domain identifier to prevent mix up between trust domain and their corresponding bundles. The 2 approaches can be used in conjunction, for instance:

SPIFFE Bundle Endpoint The SPIFFE Bundle Endpoint exposes the signing keys for X509-SVIDs, JWT-SVIDs and WIT-SVID over HTTP via a JSON Web Key Set according to . Server authentication on this endpoint is available in two flavors. For the sake of interoperability, in the context of this specification the WebPKI flavor MUST be used. This effectively means that the server certificate of the bundle endpoint is trusted by the authorization server accessing it. See Sec 5.2.1 of for details. The authorization server SHOULD periodically poll the bundle endpoint to retrieve updated trust bundles, following the refresh hint and period provided in the bundle. See for details. The SPIFFE bundle endpoint cannot be derived from the JWT-SVID, X509-SVID or JWT-SVID and MUST be configured manually out of band. Bundle endpoints MUST be keyed by the trust domain identifier.

Example The following examples showcase how the Authorization Server can perform key discovery for the trust domain example.org. Important to note is the difference between example.org trust domain and example.com location for the SPIFFE Bundle Endpoint. This highlights the importance of explicit configuration and demonstrates why the SPIFFE Bundle Endpoint cannot be derived or discovered from the JWT-SVID, X509-SVID or WIT-SVID without explicit configuration. Example configuration at the OAuth Authorization Server in the JSON format

• Note difference between example.org and example.com

Example SPIFFE Bundle Endpoint request, response:

• The use parameter in the JSON Web Key indicates the credential format the key is indended for. Multiple keys of the same use can be present.

The X509-SVID signing certificate (.keys[0].x5c[0] from response above) in text form:

• TODO: Bundle doesn't match X509-SVID. This needs to be fixed.

Alternative methods to avoid The following key distribution mechanisms are alternatives and SHOULD be avoided for interopability reasons.

SPIFFE Workload API The SPIFFE Workload API allows workloads to retrieve a trust bundle. It requires the authorization server to be part of a SPIFFE trust domain and be considered a workload within it. The SPIFFE Workload API is build in a way that the workload proactively retrieves trust bundles updates and does not need to poll them, which reduces the time to distribute them. In addition to the trust bundle of the trust domain the workload resides in, the SPIFFE Workload API also allows to retrieve trust bundles from federated trust domains. This approach is NOT RECOMMENDED for OAuth SPIFFE Client Authentication for the following reasons:

• OAuth Authorization Server needs to be a workload within a SPIFFE trust domain, which is a significant limitation for deployment scenarios.
• Federated trust domain bundles create ambiguity about how they are handled. When distributed via the SPIFFE Workload API the trust relationship and points where they are established become ambiguous.

Manual configuration In small, static environments the authorization server MAY be configured with the SPIFFE bundles manually. This approach requires human interaction to set up, rotate and manage keying material and is thus generally NOT RECOMMENDED.

Using the system trust store X509-SVIDs MUST NOT be validated using the system trust store. The SPIFFE ID carried in the URI SAN is usually not a verifiable attribute in the broader X.509 ecosystem. Using the system trust store as trust anchor would allow ANY certificate authority in it to issue a trusted X509-SVID for ANY SPIFFE ID. In comparison: using SPIFFE-native validation methods restricts the signing of SPIFFE-IDs to the corresponding trust domain signing keys.

Using the JWT-SVID or WIT-SVID iss claim JSON Web Token-based credentials carrying iss claims could technically be validated by retrieving the signing keys via OpenID Connect Discovery or OAuth 2.0 Authorization Server Metadata. This approach only applies for the JWT-SVID and WIT-SVID and only works when the iss claim is present, which is optional. Because of its narrow scope and interoperability considerations, this approach is not a general alternative to the SPIFFE Bundle Endpoint. Implementations SHOULD use the mechanisms defined in this specification when available. However, when those mechanisms are not supported by a peer deployment, implementations MAY use iss-based discovery and key retrieval for JWT-SVID or WIT-SVID validation as a compatibility mechanism, subject to local policy, appropriate trust configuration and risk mitigations described in .

Implementation Status Note to RFC Editor: please remove this section, as well as the reference to RFC 7942, before publication. This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". Keycloak

• Organization: CNCF / IBM
• Maturity: preview
• Coverage: JWT-SVID client authentication using SPIFFE Trust Bundle Endpoint
• Contact: Keycloak community & maintainers

Security Considerations Client authentication using JWT-SVIDs has the same security considerations as described in , and . Client authentication using X509-SVIDs has the same security considerations as described in . The validation rules in section 3.2 protect against an OAuth2 token being issued (or being issued incorrectly) to a client that did not present an appropriate X509-SVID. Client authentication using X509-SVIDs has the same security considerations as described in and The issues described in Section 5.2 above include the threat that an authorization server may have the incorrect trust stores configured to validate the client SVID. This could result in an incorrectly issued token to an attacker if the attacker is able to obtain a certificate that can be validated by one of the misconfigured trust anchors in the trust store.

JWT-SVID and WIT-SVID iss claim As described in , iss-based key discovery is not a general alternative to the SPIFFE Bundle Endpoint and SHOULD be avoided. However, if it is used, the authorization server MUST NOT perform issuer-based discovery solely based on the iss value from the token unless the iss value is already trusted by the authorization server, and that iss value is explicitly associated with the configured SPIFFE Trust Domain being validated. In addition implementations MUST NOT assume that keys advertised via OpenID Connect Discovery or OAuth 2.0 Authorization Server Metadata are dedicated to JWT-SVID issuance. The same provider infrastructure may issue multiple JWT types (e.g., OAuth/OIDC tokens, JWT-SVIDs, WIT-SVIDs). A token MUST NOT be accepted as a JWT-SVID or WIT-SVID solely because it is a JWT, its signature validates under keys discovered from iss, and its sub resembles a SPIFFE ID. Doing so can enable token confusion (e.g., presenting an OAuth/OIDC token issued for another purpose as a JWT-SVID). Implementations MUST validate SVIDs according to SVID-specific requirements and MUST use a trust anchor or key source explicitly bound to the configured SPIFFE Trust Domain, rather than generic issuer-based discovery from untrusted token input.

IANA Considerations This document requests a new entry to be added to the Oauth URI registry found at https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#uri. The registration process is defined in . This document requests the following entry to be added to the registry:

• URN: urn:ietf:params:oauth:client-assertion-type:jwt-spiffe
• Common Name: SPIFFE JWT-SVID Profile for OAuth 2.0 Client Authentication
• Change Controller: IETF
• Reference: This Document

OAuth Dynamic Client Registration Metadata This document requests the following entries to be added to the "OAuth Dynamic Client Registration Metadata" registry defined in :

• Client Metadata Name: spiffe_id
• Client Metadata Description: SPIFFE ID of the client
• Change Controller: IETF
• Reference: This Document
• Client Metadata Name: spiffe_bundle_endpoint
• Client Metadata Description: URL of the SPIFFE Bundle Endpoint for the client's trust domain
• Change Controller: IETF
• Reference: This Document

References Normative References The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] This document establishes an IETF URN Sub-namespace for use with OAuth-related specifications. This document is not an Internet Standards Track specification; it is published for informational purposes. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification. This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type. Mechanisms are specified for transporting assertions during interactions with a token endpoint; general processing rules are also specified. The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions and to provide alternative client authentication mechanisms. Note that this specification only defines abstract message flows and processing rules. In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations. This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication. This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration. This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token. This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. Okta This specification defines a mechanism through which an OAuth client can identify itself to authorization servers, without prior dynamic client registration or other existing registration. This is through the usage of a URL as a client_id in an OAuth flow, where the URL refers to a document containing the necessary client metadata, enabling the authorization server to fetch the metadata about the client as needed. n.d. n.d. n.d. n.d. n.d. n.d. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Self-Issued Consulting Ping Identity Disney Okta This document updates RFC7521, RFC7522, RFC7523 and RFC9126 with respect to the treatment of audience values in OAuth 2.0 Client Assertion Authentication and Assertion-based Authorization Grants to address a security vulnerability identified in the previous requirements for those audience values in multiple OAuth 2.0 specifications. This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice. Informative References MATTR Bundesdruckerei SPRIND This specification defines an extension to the OAuth 2.0 protocol [RFC6749] that enables a client instance to include a key-bound attestation when interacting with an Authorization Server or Resource Server. This mechanism allows a client instance to prove its authenticity verified by a client attester without revealing its target audience to that attester. It may also serve as a mechanism for client authentication as per OAuth 2.0. Ping Identity CyberArk Defakto Security Intuit Zscaler The WIMSE architecture defines authentication and authorization for software workloads in a variety of runtime environments, from the most basic ones up to complex multi-service, multi-cloud, multi- tenant deployments. This document defines the credentials that workloads use to represent their identity. They can be used in various protocols to authenticate workloads to each other. To use these credentials, workloads must provide proof of possession of the associated private key material, which is covered in other documents. This document focuses on the credentials alone, independent of the proof-of- possession mechanism.

Document History RFC Editor: please remove before publication.

• latest

draft-ietf-oauth-spiffe-client-auth-02

• Add Nancy Cam-Winget as co-author.
• Editorial updates to clarify WIT-SVID support.

draft-ietf-oauth-spiffe-client-auth-01

• Add mechanism to use Client ID Metadata Document for SPIFFE client metadata discovery.
• Add WIT-SVID variant using Workload Identity Tokens and Attestation-Based Client Authentication.
• Add interoperability section.
• Add more guidance and security considerations when using the iss claim.
• Add Stian Thorgersen as co-author.

draft-ietf-oauth-spiffe-client-auth-00

• Document name update to reflect adoption into the OAuth working group

draft-schwenkschuster-oauth-spiffe-client-auth-01

• Rephrase introduction to make the focus on client authentication more clear.
• Add implementation section.
• Add audience restrictions from RFC7523bis adopted WG document.
• Add security and IANA considerations section.
• Add Scott Rose as co-author.

draft-schwenkschuster-oauth-spiffe-client-auth-00

• Initial document

Acknowledgments TODO acknowledge.