RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 6 records.

Status: Verified (3)

RFC6749, "The OAuth 2.0 Authorization Framework", October 2012

Source of RFC: oauth (sec)

Errata ID: 3446

Status: Verified
Type: Editorial

Reported By: Nov Matake
Date Reported: 2013-01-07
Verifier Name: Stephen Farrell
Date Verified: 2013-03-16

Section 1 says:

o  Resource owners cannot revoke access to an individual third party
   without revoking access to all third parties, and must do so by
   changing the third party's password.

It should say:

o  Resource owners cannot revoke access to an individual third party
   without revoking access to all third parties, and must do so by
   changing their password.

Notes:

The text was originally "their" but changed to "the third party's" between the last draft and RFC.
However, "their" means "resource owners'", not "the third party's".

Errata ID: 3500

Status: Verified
Type: Editorial

Reported By: John Field
Date Reported: 2013-02-26
Verifier Name: Stephen Farrell
Date Verified: 2013-03-16

Section 4.1 says:

(E)  The authorization server authenticates the client, validates the
     authorization code, and ensures that the redirection URI
     received matches the URI used to redirect the client in
     step (C).  If valid, the authorization server responds back with
     an access token and, optionally, a refresh token.

It should say:

(E)  The authorization server authenticates the client, validates the
     authorization code, and ensures that the redirection URI
     received matches the URI used to redirect (the resource owner's user-agent) 
     to the client in step (C).  If valid, the authorization server 
     responds back with an access token and, optionally, a refresh token.

Notes:

The URI in question is the URI that was used to redirect the resource owner's user-agent back to the client to deliver the code. The original text in step (E) seems to say that this URI was used to redirect the client, but I think this is an ambiguous/imprecise use of the word "client." It was not the OAuth client that was redirected using that URI, it was the resource owner's user-agent that was redirected, *to* the client.

The parenthetical (the resource owner's user-agent) is more precise but may perhaps be too verbose. I think, at minimum, we must say "....the URI used to redirect *to* the client in step (C)."

Errata ID: 3904

Status: Verified
Type: Editorial

Reported By: Takahiko Kawasaki
Date Reported: 2014-03-01
Verifier Name: Kathleen Moriarty
Date Verified: 2015-12-08

Section 11.2.2. says:


It should say:

   o  Parameter name: error
   o  Parameter usage location: authorization response, token response
   o  Change controller: IETF
   o  Specification document(s): RFC 6749

Notes:

"error" is missing and should be added to the list of Initial Registry Contents of OAuth Parameters Registry.

AD note: This is in the normative registry, although it doesn't appear in the final published RFC. The WG suspects there was a mistake that removed it from RFC 6749 prior to final publication. I've marked this as editorial since the IANA registry is normative, but also as verified.

Status: Held for Document Update (2)

RFC6749, "The OAuth 2.0 Authorization Framework", October 2012

Source of RFC: oauth (sec)

Errata ID: 3780

Status: Held for Document Update
Type: Technical

Reported By: Torsten Lodderstedt
Date Reported: 2013-11-04
Held for Document Update by: Kathleen Moriarty
Date Held: 2015-12-08

Section 3.2.1 says:

A client MAY use the "client_id" request parameter to identify itself
   when sending requests to the token endpoint.

It should say:

A public client MAY use the "client_id" request parameter to identify 
itself when sending requests to the token endpoint.

Notes:

Note from AD: The provided link doesn't exactly demonstrate consensus, but the change makes sense, hence this is marked "Held for Document Update".

From Submitter: The current text may mislead confidential clients to sent their client_id in the request body in addition to their client_id and client_secret in the BASIC authz header. This leads to unnecessary duplication and ambiguities.

There has been consensus on the list that the intention of this sentence was to advise _public_ clients to identity themselves towards the token endpoint in order to mitigate substitution attacks and allow for logging. Confidential clients need to authenticate anyway, this sentence should be narrowed down to public clients only.

see http://www.ietf.org/mail-archive/web/oauth/current/msg12005.html

This issue was discovered in the course of the OpenID Connect Interop testings.

Errata ID: 4206

Status: Held for Document Update
Type: Editorial

Reported By: Alexander Kempgen
Date Reported: 2014-12-23
Held for Document Update by: Kathleen Moriarty
Date Held: 2015-12-08

Section 4.1 says:

   (E)  The authorization server authenticates the client, validates the
        authorization code, and ensures that the redirection URI
        received matches the URI used to redirect the client in
        step (C).  If valid, the authorization server responds back with
        an access token and, optionally, a refresh token.

It should say:

   (E)  The authorization server authenticates the client, validates the
        authorization code, and ensures that the redirection URI
        received matches the redirection URI provided by the client in
        step (A).  If valid, the authorization server responds back with
        an access token and, optionally, a refresh token.

Notes:

AD & WG notes: The wording is better, so this is accepted, but it does mean the same thing. The URI in A and C are the same.

See https://www.ietf.org/mail-archive/web/oauth/current/msg15277.html and responses.

Submitter notes: As written in section 4.1.3, the redirection URI in the access token request must match the redirection URI provided by the client in the authorization request (4.1.1). The URI used to redirect the user agent to the client in step (C) is actually different from this URI, as it contains the additional query parameters "code" and "state".

Affects the same sentence as Errata ID: 3500.

Status: Rejected (1)

RFC6749, "The OAuth 2.0 Authorization Framework", October 2012

Source of RFC: oauth (sec)

Errata ID: 3880

Status: Rejected
Type: Technical

Reported By: Eriksen Costa
Date Reported: 2014-02-04
Rejected by: Kathleen Moriarty
Date Rejected: 2015-12-08

Section 10.16 says:

For public clients using implicit flows, this specification does not
provide any method for the client to determine what client an access
token was issued to.

It should say:

For public clients using implicit flows, this specification does not
provide any method for the authorization server to determine what
client an access token was issued to.

Notes:

A client can only know about tokens issued to it and not for other clients.

From the WG:
https://www.ietf.org/mail-archive/web/oauth/current/msg12391.html
--VERIFIER NOTES--
The current text is correct, see https://www.ietf.org/mail-archive/web/oauth/current/msg12391.html

Report New Errata



Search RFCs
Advanced Search
×