RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 6749, "The OAuth 2.0 Authorization Framework", October 2012

Source of RFC: oauth (sec)

Errata ID: 5332
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Donald F Coffin
Date Reported: 2018-04-24

Section 4.1 says:

(B)  The authorization server authenticates the resource owner (via
     the user-agent) and establishes whether the resource owner
     grants or denies the client's access request.

It should say:

(B)  The authorization server validates the request to ensure that 
     all required parameters are present and valid.  If the request 
     is valid, the authorization server authenticates the resource 
     owner and obtains an authorization decision (by asking the 
     resource owner via the user-agent or by use of other 
     established approval means).

Notes:

"Section 4.1 Authorization Code Grant (B)" conflicts with "Section 4.1.1 Authorization
Request". The current verbiage implies the resource owner should be authenticated
prior to "The authorization server validates the request to ensure that all required
parameters are present and valid". Such implementations lead to overly complex
user experiences when the Authorization Server determines the request is invalid.

Report New Errata