openiddict · kevinchalet · May 29, 2025 · May 29, 2025
diff --git a/src/OpenIddict.Abstractions/OpenIddictConstants.cs b/src/OpenIddict.Abstractions/OpenIddictConstants.cs
@@ -566,8 +566,11 @@ public static class SubjectTypes
 
     public static class TokenBindingMethods
     {
-        public const string SelfSignedTlsClientCertificate = "self_signed_tls_client_certificate";
-        public const string TlsClientCertificate = "tls_client_certificate";
+        public static class Private
+        {
+            public const string SelfSignedTlsClientCertificate = "urn:openiddict:params:oauth:token-binding-method:self_signed_tls_client_certificate";
+            public const string TlsClientCertificate = "urn:openiddict:params:oauth:token-binding-method:tls_client_certificate";
+        }
     }
 
     public static class TokenFormats

diff --git a/src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpHandlers.cs b/src/OpenIddict.Client.SystemNetHttp/OpenIddictClientSystemNetHttpHandlers.cs
@@ -230,13 +230,13 @@ public ValueTask HandleAsync(ProcessAuthenticationContext context)
             if (context.TokenEndpointClientAuthenticationMethod is ClientAuthenticationMethods.TlsClientAuth &&
                 _options.CurrentValue.TlsClientAuthenticationCertificateSelector(context.Registration) is not null)
             {
-                context.UserInfoEndpointTokenBindingMethods.Add(TokenBindingMethods.TlsClientCertificate);
+                context.UserInfoEndpointTokenBindingMethods.Add(TokenBindingMethods.Private.TlsClientCertificate);
             }
 
             else if (context.TokenEndpointClientAuthenticationMethod is ClientAuthenticationMethods.SelfSignedTlsClientAuth &&
                      _options.CurrentValue.SelfSignedTlsClientAuthenticationCertificateSelector(context.Registration) is not null)
             {
-                context.UserInfoEndpointTokenBindingMethods.Add(TokenBindingMethods.SelfSignedTlsClientCertificate);
+                context.UserInfoEndpointTokenBindingMethods.Add(TokenBindingMethods.Private.SelfSignedTlsClientCertificate);
             }
 
             return default;
@@ -661,16 +661,16 @@ public ValueTask HandleAsync(TContext context)
             // If both a client authentication method and one or multiple token binding methods were negotiated,
             // make sure they are compatible (e.g that they all use a CA-issued or self-signed X.509 certificate).
             if ((context.ClientAuthenticationMethod is ClientAuthenticationMethods.TlsClientAuth &&
-                 context.TokenBindingMethods.Contains(TokenBindingMethods.SelfSignedTlsClientCertificate)) ||
+                 context.TokenBindingMethods.Contains(TokenBindingMethods.Private.SelfSignedTlsClientCertificate)) ||
                 (context.ClientAuthenticationMethod is ClientAuthenticationMethods.SelfSignedTlsClientAuth &&
-                 context.TokenBindingMethods.Contains(TokenBindingMethods.TlsClientCertificate)))
+                 context.TokenBindingMethods.Contains(TokenBindingMethods.Private.TlsClientCertificate)))
             {
                 throw new InvalidOperationException(SR.GetResourceString(SR.ID0456));
             }
 
             // Attach a flag indicating that a client certificate should be used in the TLS handshake.
             if (context.ClientAuthenticationMethod is ClientAuthenticationMethods.TlsClientAuth ||
-                context.TokenBindingMethods.Contains(TokenBindingMethods.TlsClientCertificate))
+                context.TokenBindingMethods.Contains(TokenBindingMethods.Private.TlsClientCertificate))
             {
                 builder.Append('\u001f');
 
@@ -681,7 +681,7 @@ public ValueTask HandleAsync(TContext context)
 
             // Attach a flag indicating that a self-signed client certificate should be used in the TLS handshake.
             else if (context.ClientAuthenticationMethod is ClientAuthenticationMethods.SelfSignedTlsClientAuth ||
-                     context.TokenBindingMethods.Contains(TokenBindingMethods.SelfSignedTlsClientCertificate))
+                     context.TokenBindingMethods.Contains(TokenBindingMethods.Private.SelfSignedTlsClientCertificate))
             {
                 builder.Append('\u001f');