RFC 8252, "OAuth 2.0 for Native Apps", October 2017Source of RFC: oauth (sec)
Errata ID: 5848
Publication Format(s) : TEXT
Reported By: Bayard Bell
Date Reported: 2019-08-26
Rejected by: Benjamin Kaduk
Date Rejected: 2019-08-30
Section Appendix B.1 says:
Apps can initiate an authorization request in the browser, without the user leaving the app, through the "SFSafariViewController" class or its successor "SFAuthenticationSession", which implement the in- app browser tab pattern. Safari can be used to handle requests on old versions of iOS without in-app browser tab functionality.
It should say:
Apps can initiate an authorization request in the browser, without the user leaving the app, through the "ASWebAuthenticationSession" class or its successors "SFAuthenticationSession" and "SFSafariViewController", which implement the in-app browser tab pattern. The first of these allows calls to a handler registered for the AS URL, consistent with Section 7.2. The latter two classes, now deprecated, can use Safari to handle requests on old versions of iOS without in-app browser tab functionality.
SFAuthenticationSession documentation reflects deprecated status:
Here's the documentation for ASWebAuthenticationSession:
This sort of change to update for events since the time of publication is not appropriate for an erratum; errata are intended solely to indicate errors in a document that were errors at the time of publication. A revision of the document or a new document with an "Updates:" relationship would be more appropriate ways to indicate that the situation has changed.