[OAUTH-WG] [Technical Errata Reported] RFC8628 (5840)
RFC Errata System <rfc-editor@rfc-editor.org> Mon, 19 August 2019 18:19 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 445A5120096 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2019 11:19:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 76wMwmUP_Bh0 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2019 11:19:17 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED2C120091 for <oauth@ietf.org>; Mon, 19 Aug 2019 11:19:16 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id DF156B80C2A; Mon, 19 Aug 2019 11:19:08 -0700 (PDT)
To: wdenniss@google.com, ve7jtb@ve7jtb.com, mbj@microsoft.com, Hannes.Tschofenig@gmx.net, rdd@cert.org, kaduk@mit.edu, Hannes.Tschofenig@gmx.net, rifaat.ietf@gmail.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: konstantin.lapine@forgerock.com, oauth@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20190819181908.DF156B80C2A@rfc-editor.org>
Date: Mon, 19 Aug 2019 11:19:08 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3mqHYrTj_LnmCcrEo6A-zGoCHRs>
Subject: [OAUTH-WG] [Technical Errata Reported] RFC8628 (5840)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2019 18:19:18 -0000
The following errata report has been submitted for RFC8628, "OAuth 2.0 Device Authorization Grant". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid5840 -------------------------------------- Type: Technical Reported by: Konstantin Lapine <konstantin.lapine@forgerock.com> Section: 5.2 Original Text ------------- An attacker who guesses the device code would be able to potentially obtain the authorization code once the user completes the flow. Corrected Text -------------- An attacker who guesses the device code would be able to potentially obtain the access token once the user completes the flow. Notes ----- The "authorization code" term is associated with Authorization Code Grant (defined in RFC 6749) and has the meaning of a temporary credential used by an OAuth 2.0 client to obtain the access token. Section 5.2 of RFC 8628 seems to refer to the steps of the device authorization flow during which the device code and the client identifier are exchanged for the access token (and the optional refresh token). Alternative correction: "An attacker who guesses the device code would be able to potentially obtain the access token and the optional refresh token once the user completes the flow." Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8628 (draft-ietf-oauth-device-flow-15) -------------------------------------- Title : OAuth 2.0 Device Authorization Grant Publication Date : August 2019 Author(s) : W. Denniss, J. Bradley, M. Jones, H. Tschofenig Category : PROPOSED STANDARD Source : Web Authorization Protocol Area : Security Stream : IETF Verifying Party : IESG
- [OAUTH-WG] [Technical Errata Reported] RFC8628 (5… RFC Errata System