IETF Logo Mail Archive

Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7823)

Aaron Parecki <aaron@parecki.com> Mon, 26 February 2024 23:19 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF0CC180B51 for <oauth@ietfa.amsl.com>; Mon, 26 Feb 2024 15:19:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IiA5ohWIi1XP for <oauth@ietfa.amsl.com>; Mon, 26 Feb 2024 15:19:33 -0800 (PST)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 739FAC180B78 for <oauth@ietf.org>; Mon, 26 Feb 2024 15:19:33 -0800 (PST)
Received: by mail-ua1-x92f.google.com with SMTP id a1e0cc1a2514c-7d5bbbe57bbso1885103241.1 for <oauth@ietf.org>; Mon, 26 Feb 2024 15:19:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1708989571; x=1709594371; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=P9sKT1s+oZcWRHdF+DAJmfvxXqtXBJ+RZhu4TrgxDhM=; b=DYF3TtKPwXRm6YwxizMgNEyiCqtzRFYhOlf2QUMop3R4SskMRq3GAFqRWVDyIdRK60 EEwKx977UPdVPYZ+cA2+LQ91dOqSqP2sx+6qX6btEPuUQZDbViydLdlRoYPS7y4KviUd T04w0RUER7wEhtWfb9vYpLwmLwmXjO9gv5rss1LgiQfUgTCjAanIWWQpdsRdblZRy0H0 5xDEGI570w/pQPK9ii0ghdgE3nMyg7ZFTF2ES6lxzeIXR8RrSBQn8xKiHUf4unZcs+oW hP23oUIJQET0AgTq+FkrQcCADVVi0Lc1Rf6bq1qMoP1PcnzepSnT50yyMMjyqd3QkR+T lOjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708989571; x=1709594371; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=P9sKT1s+oZcWRHdF+DAJmfvxXqtXBJ+RZhu4TrgxDhM=; b=haOg0hZlqR9gG/PAPVSTIS+7HU/j/fAN7QkFanuhroXKZcaDWGbNMtuVEhksOq0XDt 10QBGO3j5oAbuI+sTtg+9I8Jp3XK1e13XmIVdtiPh4WFk4oU9qK1/RH3eN4cVskFekiD uwtQlgnJPowY1ZLt6YKioJjq2uDT9w2sQTsQAx1eA3o0Fud8gBke1BkhY0o/n4aOG/wn +hyGSoEJ0hIV86uCkZnLXUm1xrV9nZ76rFlESrNhfCdCmL+2jCXZtKno1ZlGlWSyszgN AETHfhg65xh/NUsH7aLiIa8FW7ev3pGGjwJXLG1gn60OTih0kX67eAUiy7x1Gzm3Hg/3 psrg==
X-Gm-Message-State: AOJu0Yx+J4xu6ddPjXs821ndDyaCtgdSlj2IxknJ44fwCcuASalOkcPh M/LB+xCKtvqoDo206k5LqAT8TbnUe5L0WofwoN8XTH3ZtMMwzP32gQP2MGZi3riJpWT4ll81wgA =
X-Google-Smtp-Source: AGHT+IFmQMtIZzEcObGlzGB9FrtBTkHLkDNLl7rcobZQm61qulN19SQVaW1+p+WH84Tn+/nXiNyicg==
X-Received: by 2002:a05:6102:3a63:b0:470:5b9b:8693 with SMTP id bf3-20020a0561023a6300b004705b9b8693mr4587579vsb.6.1708989571508; Mon, 26 Feb 2024 15:19:31 -0800 (PST)
Received: from mail-ua1-f54.google.com (mail-ua1-f54.google.com. [209.85.222.54]) by smtp.gmail.com with ESMTPSA id i40-20020a0561023d2800b0047065173094sm1119880vsv.1.2024.02.26.15.19.30 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Feb 2024 15:19:31 -0800 (PST)
Received: by mail-ua1-f54.google.com with SMTP id a1e0cc1a2514c-7d5bbbe57bbso1885087241.1 for <oauth@ietf.org>; Mon, 26 Feb 2024 15:19:30 -0800 (PST)
X-Received: by 2002:a67:fe4b:0:b0:470:5373:2389 with SMTP id m11-20020a67fe4b000000b0047053732389mr4766828vsr.0.1708989570694; Mon, 26 Feb 2024 15:19:30 -0800 (PST)
MIME-Version: 1.0
References: <20240226231354.820FAEF28C@rfcpa.amsl.com>
In-Reply-To: <20240226231354.820FAEF28C@rfcpa.amsl.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 26 Feb 2024 15:19:19 -0800
X-Gmail-Original-Message-ID: <CAGBSGjqJuho5oD3-TDk2tFyGdJ-rzn6V8XxSn+XxakS=PgUocw@mail.gmail.com>
Message-ID: <CAGBSGjqJuho5oD3-TDk2tFyGdJ-rzn6V8XxSn+XxakS=PgUocw@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: oauth@ietf.org, rfc@alexstumpf.de
Content-Type: multipart/alternative; boundary="000000000000494f210612512489"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3ylKNPxfZH0jGIJdO6xwBAtRTQU>
Subject: Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7823)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2024 23:19:37 -0000

This errata should be rejected.

The client credentials grant results in an access token issued to
the client that presented credentials. There is no mechanism for "Client A"
to request a token for "Client B" using the client credentials grant, since
the credentials themselves are what determines which client the token is
issued to. However, this access token is not "bound" to the client, since
it is still a bearer token. (Other extensions like DPoP can add a binding
of the access token to the client.)

Aaron


On Mon, Feb 26, 2024 at 3:14 PM RFC Errata System <rfc-editor@rfc-editor.org>
wrote:

> The following errata report has been submitted for RFC6749,
> "The OAuth 2.0 Authorization Framework".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid7823
>
> --------------------------------------
> Type: Editorial
> Reported by: Alexander Stumpf <rfc@AlexStumpf.de>
>
> Section: 3.2.1
>
> Original Text
> -------------
>    Confidential clients or other clients issued client credentials MUST
>    authenticate with the authorization server as described in
>    Section 2.3 when making requests to the token endpoint.  Client
>    authentication is used for:
>
>    o  Enforcing the binding of refresh tokens and authorization codes to
>       the client they were issued to.  Client authentication is critical
>       when an authorization code is transmitted to the redirection
>       endpoint over an insecure channel or when the redirection URI has
>       not been registered in full.
>
> Corrected Text
> --------------
>    Confidential clients or other clients issued client credentials MUST
>    authenticate with the authorization server as described in
>    Section 2.3 when making requests to the token endpoint.  Client
>    authentication is used for:
>
>    o  Enforcing the binding of refresh tokens, authorization codes, and
>       (in the case of the Client Credentials Grant as described in
>       Section 4.4) the access token to the client they were issued to.
>       Client authentication is critical when an authorization code is
>       transmitted to the redirection endpoint over an insecure channel
>       or when the redirection URI has not been registered in full.
>
> Notes
> -----
> Section 4.4.2 requires for the "client_credentials" grant type that the
> client is authenticated to the authorization server according to section
> 3.2.1. The reason for this authentication is (or so I assume) that the
> to-be-issued access token shall be bound to the correct (authenticated)
> client. Otherwise, the client could authenticate with valid credentials as
> "client A" and request a token for "client B", and would still be in
> accordance with the RFC, which is probably not intended.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". (If it is spam, it
> will be removed shortly by the RFC Production Center.) Please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> will log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC6749 (draft-ietf-oauth-v2-31)
> --------------------------------------
> Title               : The OAuth 2.0 Authorization Framework
> Publication Date    : October 2012
> Author(s)           : D. Hardt, Ed.
> Category            : PROPOSED STANDARD
> Source              : Web Authorization Protocol
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email