IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Tue, 19 July 2022 13:16 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42B3EC188711 for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 06:16:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EayzhkN8YpCs for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 06:16:00 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AF1BC14F606 for <oauth@ietf.org>; Tue, 19 Jul 2022 06:16:00 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id p26-20020a1c545a000000b003a2fb7c1274so7328091wmi.1 for <oauth@ietf.org>; Tue, 19 Jul 2022 06:16:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B1gIJWc/koEJ7Jd0Hrq/zMNz91OSFbNd1Pc19/2I4jI=; b=QEwQM2izdxCaow/mwr2wgDfo0ifUmKNkwfv7o3WsHYxWdb5RXk1Zm7BidnvUlaxKUl gPQqSvCeE4xjYBCRrEEDzAxm8gKs4RmG/lrC8X6Z39GFIf7tg3KUs/A3MKxjdWkNe2gi yhxaydw573Iccu/xOtVGl0uQbJ4gxiL4FF2rVZ/q+6Xh6AGd0mo6XrLdo6zuD+KumAIt 9Cf/JvBXY0D3BNEquPgMzD7rL56RyjcFp1c/D6HOF2DVAH2/emxSWV1psesRyF+kvp9V k0iYFAfpf9poonngvw4XGMLQ9R87vWsxz6J84ZjoDXl+8P+AaIk6/pj1Ie9MUkMTSXwA mvHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B1gIJWc/koEJ7Jd0Hrq/zMNz91OSFbNd1Pc19/2I4jI=; b=LkQlIUHpZhHr+90K0tWH4YC6wK5kezt7KDMhNp+QwkeAf8EaOgSQJsWGkkFFGmsQUS hysuFcY2I88VtsttslJTKa1dChj8DUxPDUsBgXoJocuIOa+pE7ZAwvjZZMd2PRAW02Yl g80FvEH0yxeAEhmaelhVnZfsvLHXYEM6CsFyQwjBRrc/UrGejG/GvNBPE1OrWhHHFfY+ p4P+wZGzRPDzDJgzeq4WjHUgbuG5FZUmdQEmW7CHuxsmshrm0ks1lUjg1xSL+qFbCyY7 if1KuN3jXqnpZre9peBdYWHIuKnqFH925qAkADI4f3QXOxwWCOzEvi6ERo3Tp0n6Tp46 5Zpg==
X-Gm-Message-State: AJIora/KhrYfxfz9FXstgOANfJ9XhGBl2PcM4sOy3dr3JFiOAm+tiGeu RNrmVyLy0WDlZoWBfaS3W/SiHAG9LJoIgIUdBHw=
X-Google-Smtp-Source: AGRyM1voPknKJXUZ5AaA1ByueTwmV7VlXsOpmMOK1UclqgYyqGPLRhJp64kiWOoQVTpCiCUSCML64PQm7rR4cEAhxiM=
X-Received: by 2002:a7b:ce8f:0:b0:3a3:150c:d8ff with SMTP id q15-20020a7bce8f000000b003a3150cd8ffmr13660809wmj.152.1658236558807; Tue, 19 Jul 2022 06:15:58 -0700 (PDT)
MIME-Version: 1.0
References: <20211015193847.E6C9E20EBD5@rfc-editor.org> <CA+k3eCTmZHQ9yrokOQLd98t9JWvQB39Qf1Xz2rq=Dm8=JZ_nBw@mail.gmail.com>
In-Reply-To: <CA+k3eCTmZHQ9yrokOQLd98t9JWvQB39Qf1Xz2rq=Dm8=JZ_nBw@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Tue, 19 Jul 2022 09:15:47 -0400
Message-ID: <CADNypP_WF1FOCncUs8djWqKndz5dXsnD7+uLiFvURmDqEGiCMw@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Torsten Lodderstedt <torsten@lodderstedt.net>, Nat Sakimura <nat@sakimura.org>, dave@tonge.org, Filip Skokan <panva.ip@gmail.com>, Roman Danyliw <rdd@cert.org>, Benjamin Kaduk <kaduk@mit.edu>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, oauth <oauth@ietf.org>, paul.wouters@aiven.io
Content-Type: multipart/alternative; boundary="0000000000000a962305e42849bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NqtA9jM0_7MtPH_RMwCKs-ZDZIY>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 13:16:04 -0000

+ Roman and Paul

On Mon, Jul 18, 2022 at 12:25 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> I believe this should be verified. I'm also the one that reported it
> though. But it's been sitting in reported status for a while now.
>
> On Fri, Oct 15, 2021 at 1:38 PM RFC Errata System <
> rfc-editor@rfc-editor.org> wrote:
>
>> The following errata report has been submitted for RFC9126,
>> "OAuth 2.0 Pushed Authorization Requests".
>>
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid6711
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Brian Campbell <bcampbell@pingidentity.com>
>>
>> Section: 3.
>>
>> Original Text
>> -------------
>>    Clients MAY use the "request" parameter as defined in JAR [RFC9101]
>>    to push a Request Object JWT to the authorization server.  The rules
>>    for processing, signing, and encryption of the Request Object as
>>    defined in JAR [RFC9101] apply.  Request parameters required by a
>>    given client authentication method are included in the "application/
>>    x-www-form-urlencoded" request directly and are the only parameters
>>    other than "request" in the form body (e.g., mutual TLS client
>>    authentication [RFC8705] uses the "client_id" HTTP request parameter,
>>    while JWT assertion-based client authentication [RFC7523] uses
>>    "client_assertion" and "client_assertion_type").  All other request
>>    parameters, i.e., those pertaining to the authorization request
>>    itself, MUST appear as claims of the JWT representing the
>>    authorization request.
>>
>> Corrected Text
>> --------------
>>   Clients MAY use the request and client_id parameters as defined in
>>   JAR [RFC9101] to push a Request Object JWT to the authorization
>>   server. The rules for processing, signing, and encryption of the
>>   Request Object as defined in JAR [RFC9101] apply. Request parameters
>>   required by a given client authentication method are included in the
>>   application/x-www-form-urlencoded request directly and are the only
>>   parameters other than request and client_id in the form body (e.g.,
>>   JWT assertion-based client authentication [RFC7523] uses
>>   "client_assertion" and "client_assertion_type") HTTP request
>>   parameters). All authorization request parameters, i.e., those
>>   pertaining to the authorization request itself, MUST appear as
>>   claims of the JWT representing the authorization request.
>>
>> Notes
>> -----
>> That first paragraph of Sec 3 was not properly updated to come inline
>> with JAR (now RFC9101) when it changed in draft -21 to require "client_id"
>> in the authorization request in addition to in addition to "request" or
>> "request_uri" - so is  somewhat ambiguous in maybe suggesting that
>> "client_id" isn't required. But it is required based on how PAR works and
>> RFC9101 requiring "client_id".
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC9126 (draft-ietf-oauth-par-10)
>> --------------------------------------
>> Title               : OAuth 2.0 Pushed Authorization Requests
>> Publication Date    : September 2021
>> Author(s)           : T. Lodderstedt, B. Campbell, N. Sakimura, D. Tonge,
>> F. Skokan
>> Category            : PROPOSED STANDARD
>> Source              : Web Authorization Protocol
>> Area                : Security
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*

v2.23.0 | Report a Bug | By Email