Re: [OAUTH-WG] Artart last call partial review of draft-ietf-oauth-iss-auth-resp-02

Karsten Meyer zu Selhausen <> Mon, 15 November 2021 14:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 734623A0D30 for <>; Mon, 15 Nov 2021 06:59:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eqDHuduqN97s for <>; Mon, 15 Nov 2021 06:58:59 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3C8FA3A0D35 for <>; Mon, 15 Nov 2021 06:58:58 -0800 (PST)
Received: by with SMTP id z5so13311377edd.3 for <>; Mon, 15 Nov 2021 06:58:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=message-id:date:mime-version:user-agent:content-language:to:cc :references:from:subject:in-reply-to; bh=Qkh0pREqYDb+IcuA/L8kwTK4vbHaWNlINtmTh9BGzEw=; b=qgBqZui56ZK1UNvL+UdL6TMnJpSigZUGcfO7lQKOythSPevKElVB04aerrySl7/zJd L0p1po3ZEHlgWqfbtvd42Rtv6GHI8q1vYM3ILW+E7iWkJu8JY4kKVNxMj9AQZX0KFgE1 4GbtJfKmynEuNINY6zs7ZV3ZDDnJE+4W5sW5g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:subject:in-reply-to; bh=Qkh0pREqYDb+IcuA/L8kwTK4vbHaWNlINtmTh9BGzEw=; b=nD9r3Q06A4avZOVRRKxmVF8LAZWkAAcy+t8JAGs5uWFVseXXvt5YyaLRH+Cxj3hddQ 5xNkJ+gTaPno7eB2Fohg27v1EWYu2Flo7xDH9YQaORRetKSq7I8Fssqr3LQjwhs0w+og lH4ql2Pgh14uktm8sguSGkecrLZ6yINAIuDOCf8krTpM3W2sRy51vG1L7/KkN+mm9XZ1 mOl2pM26WOiiKGEdNjOT2IXhqbsgPsq32b3bUTqqA3jIqr8hZiZlc7zkV2rRdkzXJD4s fSL4DyQSsLW6RNqlJsj/4yVobAAxOGT82GcPCEPrycOzrWLCmEvsC1zp4kh0zeTZB8mB Hj3A==
X-Gm-Message-State: AOAM531G12g4OxuJVnsB31KgVMLqLcFdmOVQ1Ruk4Ex5nFaA9spOFNs4 kURdX9WgqnfSENPgnG6A33bP2V9Sn4niYw==
X-Google-Smtp-Source: ABdhPJz7huZ1vlMvNiYvsnLzLamFZntuPXq3Tftg/n/eohxqe7caWQrRuC07P62Wt3ASBjmBBSUfmw==
X-Received: by 2002:a17:906:6dc9:: with SMTP id j9mr52325308ejt.317.1636988335436; Mon, 15 Nov 2021 06:58:55 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id x15sm3747840edq.65.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Nov 2021 06:58:54 -0800 (PST)
Message-ID: <>
Date: Mon, 15 Nov 2021 15:58:53 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Julian Reschke <>,
References: <>
From: Karsten Meyer zu Selhausen <>
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------XJnnrqGiOOgNZpSnXjtJMsMq"
Archived-At: <>
Subject: Re: [OAUTH-WG] Artart last call partial review of draft-ietf-oauth-iss-auth-resp-02
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Nov 2021 14:59:05 -0000

Hi Julian,

thank you for your comments. Answers inline

We mostly addressed them locally and will publish a new version when all 
IESG reviews are available and addressed by us.

Best regards,

On 01.11.2021 11:33, Julian Reschke via Datatracker wrote:
> Review is partially done. Another assignment may be needed to complete it.
> Reviewer: Julian Reschke
> Review result: Almost Ready
> (I have reviewed this with zero knowledge of OAuth, so additional review
> probably would be good)
> Major issues:
> 2.4
> "Clients MUST compare the extracted and URL-decoded value to the issuer
> identifier of the authorization server where the authorization request was sent
> to."
> I'm not sure that "URL-decoded" is correct with respect to decoding query
> parameters. Consider URLs containing "+" or "=". You probably need the encoding
> rules for application/x-www-form-urlencoded instead.
Good point. We changed the text to refer to 
> Minor issues:
> References to registries should not be listed as normative.
+1 that was an editorial mistake. Fixed.
> Nits:
> Section links to external documents do not appear to be marked up as such (and
> use a trailing dot in the section number which they should not)
I am acutally not sure how to fix this. I removed the trailing dot 
(thanks for the hint) but when converting markdown to XML the section is 
not automatically recognized.
My markdown looks like this:
The authorization response as specified in Section 4.1.2 of [@!RFC6749]

The XML file like this:
The authorization response as specified in Section 4.1.2 of <xref 

Is there some example how to link the sections in external RFCs or 
should we create the links manually?

> There are no Acks; so section 6 should be deleted (if there were acksm they
> should go into an unnumbered section at the end of the document)
We added missing Acks and moved them to the appendix.
Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:	+49 (0)234 / 54456499
Web:  | IT Security Consulting, Penetration Testing, Security Training

Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog:

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz