%% You should probably cite rfc8705 instead of this I-D.
@techreport{ietf-oauth-mtls-17,
    number =    {draft-ietf-oauth-mtls-17},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/17/},
    author =    {Brian Campbell and John Bradley and Nat Sakimura and Torsten Lodderstedt},
    title =     {{OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens}},
    pagetotal = 24,
    year =      2019,
    month =     aug,
    day =       23,
    abstract =  {This document describes OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token.},
}