...

If a 2-way TLS is used to authenticate a client, and the Client has a Base64 encoded representations of its X509Certificates available in its "applicationCertificates" property, then the AccessTokenService will do the additional comparison of these certificates against the ones available in the current TLS session.

New: Also, OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens is completely supported since CXF 3.1.12. Note some parameters used in this draft may change. After the client authenticates to the token service, the token service will insert a digest of the client's certificate in the issued (JWT based) access token. On the resource server side, the OAuthRequestFilter will check the digest of the client certificate against the value stored in the token claim, and will throw a 401 exception if they do not match.

User Session Authenticity

...