RFC 6749, "The OAuth 2.0 Authorization Framework", October 2012Source of RFC: oauth (sec)
Errata ID: 5332
Publication Format(s) : TEXT
Reported By: Donald F Coffin
Date Reported: 2018-04-24
Section 4.1 says:
(B) The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request.
It should say:
(B) The authorization server validates the request to ensure that all required parameters are present and valid. If the request is valid, the authorization server authenticates the resource owner and obtains an authorization decision (by asking the resource owner via the user-agent or by use of other established approval means).
"Section 4.1 Authorization Code Grant (B)" conflicts with "Section 4.1.1 Authorization
Request". The current verbiage implies the resource owner should be authenticated
prior to "The authorization server validates the request to ensure that all required
parameters are present and valid". Such implementations lead to overly complex
user experiences when the Authorization Server determines the request is invalid.