...
shall only establish connections to servers, including HelseID, using TLS. All TLS connections shall be set up using TLS version 1.2 or later, and follow RFC 7525.
shall be confidential clients, meaning that the client secrets used to authenticate the clients are known to HelseID prior to the authentication.
shall pass request parameters as JWT as described by OIDF in OpenID Connect, and as detailed by HelseID.
shall support client authentication using either:
“private_key_jwt”, as described by OpenID Connect for interactive sessions.
Se below for allowed algorithms
Mutual-TLS for OAuth Client Authentication as described by RFC 8705. (This is not supported by HelseID yet)
The requirements for client authentication are further detailed by HelseID
shall support sender-constrained tokens using either
Mutual-TLS for OAuth Certificate-Bound Access Tokens mTLS for OAuth as described by RFC 8705.Demonstrating Proof-of-Possession at the Application Layer (DPoP) as described by draft-ietf-oauth-dpop. At the moment this specification has a draft status, so it is liable to change.
This is a future requirement and is not supported by HelseID yet
shall send access tokens in http authorization headers, as described by RFC 6750.
...