RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Reported (2)

RFC 9126, "OAuth 2.0 Pushed Authorization Requests", September 2021

Source of RFC: oauth (sec)

Errata ID: 6711
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML

Reported By: Brian Campbell
Date Reported: 2021-10-15

Section 3. says:

   Clients MAY use the "request" parameter as defined in JAR [RFC9101]
   to push a Request Object JWT to the authorization server.  The rules
   for processing, signing, and encryption of the Request Object as
   defined in JAR [RFC9101] apply.  Request parameters required by a
   given client authentication method are included in the "application/
   x-www-form-urlencoded" request directly and are the only parameters
   other than "request" in the form body (e.g., mutual TLS client
   authentication [RFC8705] uses the "client_id" HTTP request parameter,
   while JWT assertion-based client authentication [RFC7523] uses
   "client_assertion" and "client_assertion_type").  All other request
   parameters, i.e., those pertaining to the authorization request
   itself, MUST appear as claims of the JWT representing the
   authorization request.

It should say:

  Clients MAY use the request and client_id parameters as defined in 
  JAR [RFC9101] to push a Request Object JWT to the authorization 
  server. The rules for processing, signing, and encryption of the 
  Request Object as defined in JAR [RFC9101] apply. Request parameters
  required by a given client authentication method are included in the
  application/x-www-form-urlencoded request directly and are the only 
  parameters other than request and client_id in the form body (e.g.,
  JWT assertion-based client authentication [RFC7523] uses 
  "client_assertion" and "client_assertion_type") HTTP request
  parameters). All authorization request parameters, i.e., those 
  pertaining to the authorization request itself, MUST appear as
  claims of the JWT representing the authorization request.

Notes:

That first paragraph of Sec 3 was not properly updated to come inline with JAR (now RFC9101) when it changed in draft -21 to require "client_id" in the authorization request in addition to in addition to "request" or "request_uri" - so is somewhat ambiguous in maybe suggesting that "client_id" isn't required. But it is required based on how PAR works and RFC9101 requiring "client_id".

Errata ID: 7254
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML

Reported By: Joseph Heenan
Date Reported: 2022-11-18

Section 1.1 says:

POST /as/par HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

&response_type=code
&client_id=CLIENT1234&state=duk681S8n00GsJpe7n9boxdzen
<...>

It should say:

POST /as/par HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

response_type=code
&client_id=CLIENT1234&state=duk681S8n00GsJpe7n9boxdzen
<...>

Notes:

In the 'Introductory Example', the POST body to the par endpoint contains an unnecessary '&' at the start. (It's perhaps technically valid, but could potentially confuse readers.)

Report New Errata



Advanced Search