RFC Errata
RFC 8628, "OAuth 2.0 Device Authorization Grant", August 2019
Source of RFC: oauth (sec)
Errata ID: 5840
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Konstantin Lapine
Date Reported: 2019-08-19
Section 5.2 says:
An attacker who guesses the device code would be able to potentially obtain the authorization code once the user completes the flow.
It should say:
An attacker who guesses the device code would be able to potentially obtain the access token once the user completes the flow.
Notes:
The "authorization code" term is associated with Authorization Code Grant (defined in RFC 6749) and has the meaning of a temporary credential used by an OAuth 2.0 client to obtain the access token. Section 5.2 of RFC 8628 seems to refer to the steps of the device authorization flow during which the device code and the client identifier are exchanged for the access token (and the optional refresh token).
Alternative correction:
"An attacker who guesses the device code would be able to potentially obtain the access token and the optional refresh token once the user completes the flow."