Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7823)
Rebecca VanRheenen <rvanrheenen@amsl.com> Tue, 27 February 2024 00:43 UTC
Return-Path: <rvanrheenen@amsl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FA95C15153F for <oauth@ietfa.amsl.com>; Mon, 26 Feb 2024 16:43:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.207
X-Spam-Level:
X-Spam-Status: No, score=-4.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32JPT9rVDqj6 for <oauth@ietfa.amsl.com>; Mon, 26 Feb 2024 16:43:18 -0800 (PST)
Received: from c8a.amsl.com (c8a.amsl.com [4.31.198.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 690EBC14F5F8 for <oauth@ietf.org>; Mon, 26 Feb 2024 16:43:18 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by c8a.amsl.com (Postfix) with ESMTP id 53E56424B455; Mon, 26 Feb 2024 16:43:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from c8a.amsl.com ([127.0.0.1]) by localhost (c8a.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VUIy3VxgMJJm; Mon, 26 Feb 2024 16:43:18 -0800 (PST)
Received: from [192.168.2.202] (68-252-221-24.lightspeed.tukrga.sbcglobal.net [68.252.221.24]) by c8a.amsl.com (Postfix) with ESMTPSA id E2620424B426; Mon, 26 Feb 2024 16:43:17 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Rebecca VanRheenen <rvanrheenen@amsl.com>
In-Reply-To: <20240226231354.820FAEF28C@rfcpa.amsl.com>
Date: Mon, 26 Feb 2024 19:43:16 -0500
Cc: "rfc@alexstumpf.de" <rfc@AlexStumpf.de>, dick.hardt@gmail.com, oauth@ietf.org, RFC Editor <rfc-editor@rfc-editor.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8D6760B0-FEAD-4925-BEC7-A20A95B9A4A9@amsl.com>
References: <20240226231354.820FAEF28C@rfcpa.amsl.com>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4Za62tFSzoS8_OPSqgmsgL8g2bc>
Subject: Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7823)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 00:43:22 -0000
Hi Roman, We are unable to verify this erratum that the submitter marked as editorial, so we changed the Type to “Technical”. As Stream Approver, please review and set the Status and Type accordingly (see the definitions at https://www.rfc-editor.org/errata-definitions/). You may review the report at: https://www.rfc-editor.org/errata/eid7823 Information on how to verify errata reports can be found at: https://www.rfc-editor.org/how-to-verify/ Further information on errata can be found at: https://www.rfc-editor.org/errata.php Thank you. RFC Editor/rv > On Feb 26, 2024, at 6:13 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: > > The following errata report has been submitted for RFC6749, > "The OAuth 2.0 Authorization Framework". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7823 > > -------------------------------------- > Type: Editorial > Reported by: Alexander Stumpf <rfc@AlexStumpf.de> > > Section: 3.2.1 > > Original Text > ------------- > Confidential clients or other clients issued client credentials MUST > authenticate with the authorization server as described in > Section 2.3 when making requests to the token endpoint. Client > authentication is used for: > > o Enforcing the binding of refresh tokens and authorization codes to > the client they were issued to. Client authentication is critical > when an authorization code is transmitted to the redirection > endpoint over an insecure channel or when the redirection URI has > not been registered in full. > > Corrected Text > -------------- > Confidential clients or other clients issued client credentials MUST > authenticate with the authorization server as described in > Section 2.3 when making requests to the token endpoint. Client > authentication is used for: > > o Enforcing the binding of refresh tokens, authorization codes, and > (in the case of the Client Credentials Grant as described in > Section 4.4) the access token to the client they were issued to. > Client authentication is critical when an authorization code is > transmitted to the redirection endpoint over an insecure channel > or when the redirection URI has not been registered in full. > > Notes > ----- > Section 4.4.2 requires for the "client_credentials" grant type that the client is authenticated to the authorization server according to section 3.2.1. The reason for this authentication is (or so I assume) that the to-be-issued access token shall be bound to the correct (authenticated) client. Otherwise, the client could authenticate with valid credentials as "client A" and request a token for "client B", and would still be in accordance with the RFC, which is probably not intended. > > Instructions: > ------------- > This erratum is currently posted as "Reported". (If it is spam, it > will be removed shortly by the RFC Production Center.) Please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > will log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6749 (draft-ietf-oauth-v2-31) > -------------------------------------- > Title : The OAuth 2.0 Authorization Framework > Publication Date : October 2012 > Author(s) : D. Hardt, Ed. > Category : PROPOSED STANDARD > Source : Web Authorization Protocol > Area : Security > Stream : IETF > Verifying Party : IESG >
- Re: [OAUTH-WG] [Editorial Errata Reported] RFC674… Aaron Parecki
- Re: [OAUTH-WG] [Editorial Errata Reported] RFC674… Rebecca VanRheenen
- [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7… RFC Errata System
- Re: [OAUTH-WG] [Editorial Errata Reported] RFC674… Aaron Parecki