Private Key Jwt sending sender constrained token requests to wrong token endpoint
What did you do?
Execute private key jwt fapi op tests. These require token constraining to mtls, as per the mtls spec when advertising using alias’s clients need to use the advertised alias instead of the non mtls endpoint.
What did you expect would happen?
The client would use the mtls alias for requesting a token from the mutual tls token endpoint.
I would also expect the correct audience to be used ie the alias token endpoint or an array of audiences which contain the token endpoint or the issuer as the expected audience.
What did happen?
The client used the non mtls endpoint and the request failed because the certifate was not presented
Please reference and quote any relevant OAuth2 / OpenID Connect / FAPI specification clauses that support your expectations
https://tools.ietf.org/id/draft-ietf-oauth-mtls-13.html#rfc.section.5
If you believe a failure the conformance suite is reporting is not a valid failure, you MUST include a hyperlink for the exact section of the relevant specification that explains how the behaviour of your software is compliant, and you MUST include a quote of the exact clause/phrase you are relying on
If the problem relates to a test, please provide a link to the log-detail.html page on our server (the test result does NOT need to be 'published')
https://www.certification.openid.net/log-detail.html?log=Hp6rz7lyW1gU7NP