Skip to content

feat: RFC 8705 mutual-TLS client authentication — BOSH release changes#1269

Draft
rkoster wants to merge 9 commits into
cloudfoundry:developfrom
rkoster:feat/rfc8705-mtls-client-auth
Draft

feat: RFC 8705 mutual-TLS client authentication — BOSH release changes#1269
rkoster wants to merge 9 commits into
cloudfoundry:developfrom
rkoster:feat/rfc8705-mtls-client-auth

Conversation

@rkoster

@rkoster rkoster commented Jul 3, 2026

Copy link
Copy Markdown

Summary

BOSH release changes to support RFC 8705
mutual-TLS client authentication for Cloud Foundry app instance identity.

Companion to cloudfoundry/uaa#3972.

Changes (3 commits)

jobs/uaa/spec — new properties:

  • uaa.mtls.enabled (boolean, default false) — enables the /oauth/mtls/token endpoint
  • uaa.mtls.endpoint (string) — the full mTLS endpoint URL published in OIDC discovery

jobs/uaa/templates/config/uaa.yml.erb:

  • Emit mtls: block when uaa.mtls.enabled is true
  • Skip clientSecret validation for tls_client_auth and private_key_jwt clients
    (these authenticate via cert/JWT rather than a shared secret)

src/uaa submodule — bumped to feat/rfc8705-mtls-client-auth (cloudfoundry/uaa#3972)

Ops file usage

# ops-enable-app-identity.yml
- type: replace
  path: /instance_groups/name=control/jobs/name=uaa/properties/uaa/mtls?
  value:
    enabled: true
    endpoint: https://uaa.((system_domain))/oauth/mtls/token

- type: replace
  path: /instance_groups/name=control/jobs/name=uaa/properties/uaa/clients/instance-identity?
  value:
    token-endpoint-auth-method: tls_client_auth
    tls-client-auth-ca: ((diego_instance_identity_ca.certificate))
    tls-client-auth-claim-mappings: |
      [
        {"field":"subject_cn","claim":"cf_instance_guid"},
        {"field":"subject_ou","pattern":"app:(.+)","claim":"app_guid"},
        {"field":"subject_ou","pattern":"space:(.+)","claim":"space_guid"},
        {"field":"subject_ou","pattern":"organization:(.+)","claim":"org_guid"}
      ]
    authorities: uaa.none
    authorized-grant-types: client_credentials
    scope: uaa.none

Gorouter requirement

# The Gorouter must be configured to validate and forward the client cert:
router.forwarded_client_cert: sanitize_set

Related

rkoster added 3 commits July 3, 2026 12:41
…lients

Clients using certificate-based or JWT-based authentication do not have
a client_secret. The template previously only exempted 'implicit' grant
type from the secret-required check; extend the exemption to
token-endpoint-auth-method tls_client_auth and private_key_jwt.
Update UAA submodule to include the RFC 8705 mTLS implementation.

The submodule now points to the tip of the feat/rfc8705-mtls-client-auth
branch in cloudfoundry/uaa, which adds mutual-TLS client authentication
support for /oauth/mtls/token.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

1 participant