Using certificate-constrained access tokens created by private key used to authentication (with private_key_jwt)
I have a OIDC provider that can't use mutual TLS authentication due to mTLS problems like certificates expiration (what if client didn't rotate certificate and it's expired now? Client cant authenticate to server to e.g. inform server that client has new certificate, so client loss whole access and seems to be useless), or what if OCSP is unavailable, prompting user about certificate if we don't have another port for mTLS etc.
But mTLS give us a big security improvment: certificate-constrained access tokens.
In comparison to DPoP it has big advantage: there are no DPoP token and replay attack is impossible.
So I thought about a bit modified DPoP. We can create self-signed x509 certificate (signed by the same private key that we are using to authenticate using private_key_jwt method) every request to resource server and then use DPoP with earlier generated certificate. (In my case resource servers can support mTLS, while they are only API).
What it provides? It provides that DPoP token can't be reused because we must estabilish mTLS connection to use it. If attacker doesn't know private key, then can't do anything even if DPoP token has leaked.
Do you see any problems in my solution? Asking because I'm not security expert and I might have missed something.
