IBM Verify

 View Only

 How to configure client certificate authentication for an OAuth 2.0 client

Sue BAYLISS's profile image
Sue BAYLISS posted Tue December 02, 2025 07:17 AM

Hi, Can anyone help point me in the correct direction to do the following ….

I'm trying to configure Mutual TLS from a client on a request for an OAuth 2.0 token (URI mga/sps/oauth/oauth20/token) for the client certificate to be mapped to an OAuth 2.0 client. (As part of specification RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens https://datatracker.ietf.org/doc/html/rfc8705)

We are currently using IBM Secure Verify Access 10.0.2 docker containers (although plan to update to v11) and have requests for OAuth 2.0 tokens working with basic authentication and JWT authentication. But I’m sure which instructions I should be following to use client certificate authentication instead.

I’ve found:


I can successfully complete TLS handshake with WRP, but missing how to map client certificate to an OAuth 2.0 client. I tried each of the above instructions with various errors but mostly runtime container messages.log issues: "ivoli.am.fim.oauth20.protocol.delegates.OAuth20TokenDelegate I com.tivoli.am.fim.oauth20.exception.OAuth20InvalidClientException: FBTOAU229E Confidential clients accessing the token endpoint must authenticate using their registered credentials."

Thanks, Sue

Sumana Narasipur's profile image
Sumana Narasipur posted Mon January 12, 2026 08:09 PM

Hi Sue,

Here are somethings I would check
1. Has the certificate information propagated all the way to the InfoMap (FAPI_CertEAI)
2. If the certificate information is not available, you could look at the client certificate user mapping to debug further
3. If the certificate information is available, check the trace logs for "No authorization header present, authenticating as the client via MTLS"

4. Set trace to com.tivoli.am.fim.trustserver.sts.utilities.*=ALL

I hope the above steps help.

Related Content