RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 6749, "The OAuth 2.0 Authorization Framework", October 2012

Note: This RFC has been updated by RFC 8252, RFC 8996

Source of RFC: oauth (sec)

Errata ID: 7823
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Alexander Stumpf
Date Reported: 2024-02-26

Section 3.2.1 says:

   Confidential clients or other clients issued client credentials MUST
   authenticate with the authorization server as described in
   Section 2.3 when making requests to the token endpoint.  Client
   authentication is used for:

   o  Enforcing the binding of refresh tokens and authorization codes to
      the client they were issued to.  Client authentication is critical
      when an authorization code is transmitted to the redirection
      endpoint over an insecure channel or when the redirection URI has
      not been registered in full.

It should say:

   Confidential clients or other clients issued client credentials MUST
   authenticate with the authorization server as described in
   Section 2.3 when making requests to the token endpoint.  Client
   authentication is used for:

   o  Enforcing the binding of refresh tokens, authorization codes, and
      (in the case of the Client Credentials Grant as described in
      Section 4.4) the access token to the client they were issued to.
      Client authentication is critical when an authorization code is
      transmitted to the redirection endpoint over an insecure channel
      or when the redirection URI has not been registered in full.

Notes:

Section 4.4.2 requires for the "client_credentials" grant type that the client is authenticated to the authorization server according to section 3.2.1. The reason for this authentication is (or so I assume) that the to-be-issued access token shall be bound to the correct (authenticated) client. Otherwise, the client could authenticate with valid credentials as "client A" and request a token for "client B", and would still be in accordance with the RFC, which is probably not intended.

Report New Errata



Advanced Search