RFC Errata
RFC 6749, "The OAuth 2.0 Authorization Framework", October 2012
Note: This RFC has been updated by RFC 8252, RFC 8996, RFC 9700
Source of RFC: oauth (sec)
Errata ID: 5332
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Donald F Coffin
Date Reported: 2018-04-24
Section 4.1 says:
(B) The authorization server authenticates the resource owner (via
the user-agent) and establishes whether the resource owner
grants or denies the client's access request.
It should say:
(B) The authorization server validates the request to ensure that
all required parameters are present and valid. If the request
is valid, the authorization server authenticates the resource
owner and obtains an authorization decision (by asking the
resource owner via the user-agent or by use of other
established approval means).
Notes:
"Section 4.1 Authorization Code Grant (B)" conflicts with "Section 4.1.1 Authorization
Request". The current verbiage implies the resource owner should be authenticated
prior to "The authorization server validates the request to ensure that all required
parameters are present and valid". Such implementations lead to overly complex
user experiences when the Authorization Server determines the request is invalid.