[OAUTH-WG] [Errata Held for Document Update] RFC6749 (4206)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 08 December 2015 17:14 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F2491A0137; Tue, 8 Dec 2015 09:14:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.912
X-Spam-Level:
X-Spam-Status: No, score=-106.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNkJHDgeBepX; Tue, 8 Dec 2015 09:14:18 -0800 (PST)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) by ietfa.amsl.com (Postfix) with ESMTP id 9391B1A0102; Tue, 8 Dec 2015 09:14:18 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 30) id 011411804F5; Tue, 8 Dec 2015 09:12:15 -0800 (PST)
To: alex@kempgen.de, dick.hardt@gmail.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20151208171216.011411804F5@rfc-editor.org>
Date: Tue, 08 Dec 2015 09:12:16 -0800
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/JUemwNqXg8UpQcb6RzSwjFiWr_g>
Cc: rfc-editor@rfc-editor.org, Kathleen.Moriarty@emc.com, iesg@ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] [Errata Held for Document Update] RFC6749 (4206)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2015 17:14:20 -0000

The following errata report has been held for document update 
for RFC6749, "The OAuth 2.0 Authorization Framework". 

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=4206

--------------------------------------
Status: Held for Document Update
Type: Editorial

Reported by: Alexander Kempgen <alex@kempgen.de>
Date Reported: 2014-12-23
Held by: Kathleen Moriarty (IESG)

Section: 4.1

Original Text
-------------
   (E)  The authorization server authenticates the client, validates the
        authorization code, and ensures that the redirection URI
        received matches the URI used to redirect the client in
        step (C).  If valid, the authorization server responds back with
        an access token and, optionally, a refresh token.

Corrected Text
--------------
   (E)  The authorization server authenticates the client, validates the
        authorization code, and ensures that the redirection URI
        received matches the redirection URI provided by the client in
        step (A).  If valid, the authorization server responds back with
        an access token and, optionally, a refresh token.

Notes
-----
AD & WG notes: The wording is better, so this is accepted, but it does mean the same thing.  The URI in A and C are the same.

See https://www.ietf.org/mail-archive/web/oauth/current/msg15277.html and responses.

Submitter notes: As written in section 4.1.3, the redirection URI in the access token request must match the redirection URI provided by the client in the authorization request (4.1.1). The URI used to redirect the user agent to the client in step (C) is actually different from this URI, as it contains the additional query parameters \\\\\\\\\\\\\\\\"code\\\\\\\\\\\\\\\\" and \\\\\\\\\\\\\\\\"state\\\\\\\\\\\\\\\\".

Affects the same sentence as Errata ID: 3500.

--------------------------------------
RFC6749 (draft-ietf-oauth-v2-31)
--------------------------------------
Title               : The OAuth 2.0 Authorization Framework
Publication Date    : October 2012
Author(s)           : D. Hardt, Ed.
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG