RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 1 record.

Status: Reported (1)

RFC 8693, "OAuth 2.0 Token Exchange", January 2020

Source of RFC: oauth (sec)

Errata ID: 7511
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML

Reported By: Jesse Estum
Date Reported: 2023-05-08

Section 2.1 says:

Client authentication to the authorization server is done using the 
normal mechanisms provided by OAuth 2.0. Section 2.3.1 of [RFC6749] 
defines password-based authentication of the client, however, client 
authentication is extensible and other mechanisms are possible. For 
example, [RFC7523] defines client authentication using bearer JSON Web 
Tokens (JWTs) [JWT]. The supported methods of client authentication and 
whether or not to allow unauthenticated or unidentified clients are 
deployment decisions that are at the discretion of the authorization 
server.

It should say:

Client authentication to the authorization server is done using the 
normal mechanisms provided by OAuth 2.0. Section 2.3.1 of [RFC6749] 
defines password-based authentication of the client, however, client 
authentication is extensible and other mechanisms are possible. The 
supported methods of client authentication and whether or not to allow 
unauthenticated or unidentified clients are deployment decisions that 
are at the discretion of the authorization server. 

Notes:

The specific example of authentication with RFC7523 would require "grant_type" value of "urn:ietf:params:oauth:grant-type:jwt-bearer", however this directly conflicts with RFC8693 as it requires "grant_type" value of "urn:ietf:params:oauth:grant-type:token-exchange".

Report New Errata



Advanced Search