Just curious if anyone has done it yet, or if someone from CA has some input, for doing client-cert auth to the OIDC endpoints. And if that'd be considered a supportable configuration or not.
Basically instead of relying on the bearer access token alone to say the userinfo endpoint, require the added layer of requiring a certificate from a valid trusted issuer.
As a whole, we want to avoid passing any detailed user information based on a bearer token alone, so having the layer of having to be a valid issued cert would allow greater security there; to compromise the user info would have to gain access to not only the access token alone but also specific client cert.
Since the AG has Apache as the proxy, figured it should be doable in the configs?