RFC Errata
Found 1 record.
Status: Reported (1)
RFC 8693, "OAuth 2.0 Token Exchange", January 2020
Source of RFC: oauth (sec)
Errata ID: 7511
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Jesse Estum
Date Reported: 2023-05-08
Section 2.1 says:
Client authentication to the authorization server is done using the normal mechanisms provided by OAuth 2.0. Section 2.3.1 of [RFC6749] defines password-based authentication of the client, however, client authentication is extensible and other mechanisms are possible. For example, [RFC7523] defines client authentication using bearer JSON Web Tokens (JWTs) [JWT]. The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.
It should say:
Client authentication to the authorization server is done using the normal mechanisms provided by OAuth 2.0. Section 2.3.1 of [RFC6749] defines password-based authentication of the client, however, client authentication is extensible and other mechanisms are possible. The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.
Notes:
The specific example of authentication with RFC7523 would require "grant_type" value of "urn:ietf:params:oauth:grant-type:jwt-bearer", however this directly conflicts with RFC8693 as it requires "grant_type" value of "urn:ietf:params:oauth:grant-type:token-exchange".