Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3880)
Dick Hardt <dick.hardt@gmail.com> Tue, 04 February 2014 18:28 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D48921A0125 for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 10:28:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zcXKtnvVYEa for <oauth@ietfa.amsl.com>; Tue, 4 Feb 2014 10:28:13 -0800 (PST)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA9F1A0164 for <oauth@ietf.org>; Tue, 4 Feb 2014 10:28:08 -0800 (PST)
Received: by mail-qc0-f176.google.com with SMTP id e16so14125370qcx.21 for <oauth@ietf.org>; Tue, 04 Feb 2014 10:28:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=pGbL4uc/onQ5A+OovenJF9OfjWlWf5p09J5M0d/B1pY=; b=THItKho26KjJ3Qr1FstH/vbSwL76Ybvyr8petydmdunUHhxl3RVfk7u2YIU2bKKgqC m4oWrIdzkooEeLDu9MSYQOtoyuOOPgw86VzoLt+hLIzU20X5GQzszmiERX+R1ssd7mQf MvxmQU0g4A6JDkp2Pb1THsTD8g0nu6BINwZ/eQ9qUfbsIamR3sR6ncOalI1bo+H6gs2/ c/JMMAq+pDx5/tWoAbXBHN7rw4z1agwj1e4X5jgUSVA/+UFcuPXXbmyBoQfX81kDP+IU CTsJo860gSd/tiaQ9Wsme6hE0KXB5iON5BEcSq8jXVpsnEqJeNn/pm3Dr4/a2pjfL9jA Q1dg==
X-Received: by 10.140.31.247 with SMTP id f110mr64213839qgf.58.1391538487623; Tue, 04 Feb 2014 10:28:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.87.71 with HTTP; Tue, 4 Feb 2014 10:27:47 -0800 (PST)
In-Reply-To: <78C9DCAB-0258-4AAE-9FE6-951AAC1BF47C@oracle.com>
References: <20140204161338.9A4007FC168@rfc-editor.org> <9B180E22-D31A-48A7-A233-8F3DA05ABF71@ve7jtb.com> <78C9DCAB-0258-4AAE-9FE6-951AAC1BF47C@oracle.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 04 Feb 2014 10:27:47 -0800
Message-ID: <CAD9ie-uo=uSo6DwTiiD+hsuL4+ZuQZWOE-z36SmcNFq25FkLRQ@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a113a9c023f05a704f198cd1a"
Cc: "eriksencosta@gmail.com" <eriksencosta@gmail.com>, Sean Turner <turners@ieca.com>, Derek Atkins <derek@ihtfp.com>, oauth <oauth@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3880)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Feb 2014 18:28:25 -0000
My bad, sorry. On Tue, Feb 4, 2014 at 8:58 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > +1 > > Phil > > > On Feb 4, 2014, at 8:33, John Bradley <ve7jtb@ve7jtb.com> wrote: > > > > The text in 10.16 is correct. > > > > This is a security consideration that has caused serious problems for > Facebook and other implementers. > > > > In the Implicit flow there is no way for a client to know if a access > token was issued to it or another client. > > > > The UA presenting the access token in an implicit flow may be the > resource owner but may also be any other client that has ever received an > access token for the resource. > > > > In the implicit flow the Authorization server knows what client it has > issued a access token to via the registered redirect URI. > > > > The change doesn't reflect the intent of the security consideration. > > > > John B. > > > > > >> On Feb 4, 2014, at 1:13 PM, RFC Errata System < > rfc-editor@rfc-editor.org> wrote: > >> > >> The following errata report has been submitted for RFC6749, > >> "The OAuth 2.0 Authorization Framework". > >> > >> -------------------------------------- > >> You may review the report below and at: > >> http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3880 > >> > >> -------------------------------------- > >> Type: Technical > >> Reported by: Eriksen Costa <eriksencosta@gmail.com> > >> > >> Section: 10.16 > >> > >> Original Text > >> ------------- > >> For public clients using implicit flows, this specification does not > >> provide any method for the client to determine what client an access > >> token was issued to. > >> > >> Corrected Text > >> -------------- > >> For public clients using implicit flows, this specification does not > >> provide any method for the authorization server to determine what > >> client an access token was issued to. > >> > >> Notes > >> ----- > >> A client can only know about tokens issued to it and not for other > clients. > >> > >> Instructions: > >> ------------- > >> This errata is currently posted as "Reported". If necessary, please > >> use "Reply All" to discuss whether it should be verified or > >> rejected. When a decision is reached, the verifying party (IESG) > >> can log in to change the status and edit the report, if necessary. > >> > >> -------------------------------------- > >> RFC6749 (draft-ietf-oauth-v2-31) > >> -------------------------------------- > >> Title : The OAuth 2.0 Authorization Framework > >> Publication Date : October 2012 > >> Author(s) : D. Hardt, Ed. > >> Category : PROPOSED STANDARD > >> Source : Web Authorization Protocol > >> Area : Security > >> Stream : IETF > >> Verifying Party : IESG > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] [Technical Errata Reported] RFC6749 (3… RFC Errata System
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Dick Hardt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… John Bradley
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Phil Hunt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Dick Hardt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Prateek Mishra
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Bill Mills
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… John Bradley
- [OAUTH-WG] Suitable grant type for a Javascript u… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Manfred Steyer
- Re: [OAUTH-WG] Suitable grant type for a Javascri… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Prateek Mishra
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Justin Richer
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Prateek Mishra
- Re: [OAUTH-WG] Suitable grant type for a Javascri… John Bradley
- Re: [OAUTH-WG] Suitable grant type for a Javascri… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… John Bradley
- Re: [OAUTH-WG] Suitable grant type for a Javascri… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… John Bradley
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Eriksen Costa
- [OAUTH-WG] [Errata Rejected] RFC6749 (3880) RFC Errata System