RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 6749, "The OAuth 2.0 Authorization Framework", October 2012

Source of RFC: oauth (sec)

Errata ID: 6017
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Michael Osipov
Date Reported: 2020-03-15

Section 2.3.1 says:

Clients in possession of a client password MAY use the HTTP Basic
   authentication scheme as defined in [RFC2617] to authenticate with
   the authorization server.  The client identifier is encoded using the
   "application/x-www-form-urlencoded" encoding algorithm per
   Appendix B, and the encoded value is used as the username; the client
   password is encoded using the same algorithm and used as the
   password.

It should say:

Clients in possession of a client password MAY use the HTTP Basic
   authentication scheme as defined in [RFC7617] to authenticate with
   the authorization server.

Notes:

RFC 2617 has been superseded by RFC7617 which clearly defines in section 2.1 how a charset can be provided to solve the usecase described with encoding.

The original text of this RFC violates the approach described for Basic authentication.

Report New Errata