[OAUTH-WG] [Technical Errata Reported] RFC8628 (5840)

RFC Errata System <rfc-editor@rfc-editor.org> Mon, 19 August 2019 18:19 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 445A5120096 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2019 11:19:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 76wMwmUP_Bh0 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2019 11:19:17 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED2C120091 for <oauth@ietf.org>; Mon, 19 Aug 2019 11:19:16 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id DF156B80C2A; Mon, 19 Aug 2019 11:19:08 -0700 (PDT)
To: wdenniss@google.com, ve7jtb@ve7jtb.com, mbj@microsoft.com, Hannes.Tschofenig@gmx.net, rdd@cert.org, kaduk@mit.edu, Hannes.Tschofenig@gmx.net, rifaat.ietf@gmail.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: konstantin.lapine@forgerock.com, oauth@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20190819181908.DF156B80C2A@rfc-editor.org>
Date: Mon, 19 Aug 2019 11:19:08 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3mqHYrTj_LnmCcrEo6A-zGoCHRs>
Subject: [OAUTH-WG] [Technical Errata Reported] RFC8628 (5840)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2019 18:19:18 -0000

The following errata report has been submitted for RFC8628,
"OAuth 2.0 Device Authorization Grant".

You may review the report below and at:

Type: Technical
Reported by: Konstantin Lapine <konstantin.lapine@forgerock.com>

Section: 5.2

Original Text
An attacker who guesses the device code would be able to potentially
   obtain the authorization code once the user completes the flow.

Corrected Text
An attacker who guesses the device code would be able to potentially
   obtain the access token once the user completes the flow.

The "authorization code" term is associated with Authorization Code Grant (defined in RFC 6749) and has the meaning of a temporary credential used by an OAuth 2.0 client to obtain the access token. Section 5.2 of RFC 8628 seems to refer to the steps of the device authorization flow during which the device code and the client identifier are exchanged for the access token (and the optional refresh token). 

Alternative correction:

"An attacker who guesses the device code would be able to potentially obtain the access token and the optional refresh token once the user completes the flow."

This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

RFC8628 (draft-ietf-oauth-device-flow-15)
Title               : OAuth 2.0 Device Authorization Grant
Publication Date    : August 2019
Author(s)           : W. Denniss, J. Bradley, M. Jones, H. Tschofenig
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG