Client authentication method or not?

[fkj]

At IIW there was some discussion about whether this spec should really define a client authentication method.
The main motivation for allowing people to use the mechanism without it being a client authentication method is this line from OAuth 2 (section 2.3):

The client MUST NOT use more than one authentication method in each request.

My impression from the IIW discussion was that there are two use cases:

• Use the attestation mechanism as the (only) client authentication method
• Use the attestation mechanism to provide additional assurance on top of an existing client authentication method

I think it makes sense to allow for both use cases and provide some guidance in the Implementation Considerations section. I'm happy to write a draft of this if you want to pursue this direction.
I guess this would also be interesting to bring up at IETF this week, but unfortunately I can't attend.

[c2bo]

Agreed and we are planning to bring that discussion up at the OAuth WG Meeting on Friday.

[kkoiwai]

One example use case of "Use the attestation mechanism as the (only) client authentication method" would be a smartphone native app. Here I assume a user of the app can only login with the account of the app's service provider, i.e., the IdP and the app publisher is the same entity. The app gets an attestation from its platform and send it to the the Client Attester, typically its authorization server, to get a Client Attestation JWT. The app then uses the Client Attestation JWT and PoP JWT for accessing the PAR endpoint and token endpoint.