RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 1 record.

Status: Reported (1)

RFC 8628, "OAuth 2.0 Device Authorization Grant", August 2019

Source of RFC: oauth (sec)

Errata ID: 5840
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Konstantin Lapine
Date Reported: 2019-08-19

Section 5.2 says:

An attacker who guesses the device code would be able to potentially
   obtain the authorization code once the user completes the flow.

It should say:

An attacker who guesses the device code would be able to potentially
   obtain the access token once the user completes the flow.

Notes:

The "authorization code" term is associated with Authorization Code Grant (defined in RFC 6749) and has the meaning of a temporary credential used by an OAuth 2.0 client to obtain the access token. Section 5.2 of RFC 8628 seems to refer to the steps of the device authorization flow during which the device code and the client identifier are exchanged for the access token (and the optional refresh token).

Alternative correction:

"An attacker who guesses the device code would be able to potentially obtain the access token and the optional refresh token once the user completes the flow."

Report New Errata