Hello,
I would like to use Bound Access Tokens
but i would like to know if I also need to add X.509 client certificate authentication to browser flows ?
In other words, does it work only when a client is authenticated by KeyCloak thanks to a X.509 client certificate ?
The underlying question is : is the token bound to a device certificate or a user certificate ?
Regards