[OAUTH-WG] [Technical Errata Reported] RFC8693 (7511)
RFC Errata System <rfc-editor@rfc-editor.org> Mon, 08 May 2023 15:57 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9758BC15DD5E for <oauth@ietfa.amsl.com>; Mon, 8 May 2023 08:57:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.646
X-Spam-Level:
X-Spam-Status: No, score=-1.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2DKTET3WMo0B for <oauth@ietfa.amsl.com>; Mon, 8 May 2023 08:57:39 -0700 (PDT)
Received: from rfcpa.amsl.com (rfc-editor.org [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8E08C14CE38 for <oauth@ietf.org>; Mon, 8 May 2023 08:57:39 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id B14AFAEAE; Mon, 8 May 2023 08:57:39 -0700 (PDT)
To: mbj@microsoft.com, tonynad@microsoft.com, brian.d.campbell@gmail.com, ve7jtb@ve7jtb.com, chuck.mortimore@visa.com, rdd@cert.org, paul.wouters@aiven.io, hannes.tschofenig@arm.com, rifaat.s.ietf@gmail.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: jesse.estum@gmail.com, oauth@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20230508155739.B14AFAEAE@rfcpa.amsl.com>
Date: Mon, 08 May 2023 08:57:39 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/S4tkIeNLsru_W7I1JDmcqb4HrAg>
Subject: [OAUTH-WG] [Technical Errata Reported] RFC8693 (7511)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2023 15:57:43 -0000
The following errata report has been submitted for RFC8693, "OAuth 2.0 Token Exchange". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7511 -------------------------------------- Type: Technical Reported by: Jesse Estum <jesse.estum@gmail.com> Section: 2.1 Original Text ------------- Client authentication to the authorization server is done using the normal mechanisms provided by OAuth 2.0. Section 2.3.1 of [RFC6749] defines password-based authentication of the client, however, client authentication is extensible and other mechanisms are possible. For example, [RFC7523] defines client authentication using bearer JSON Web Tokens (JWTs) [JWT]. The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server. Corrected Text -------------- Client authentication to the authorization server is done using the normal mechanisms provided by OAuth 2.0. Section 2.3.1 of [RFC6749] defines password-based authentication of the client, however, client authentication is extensible and other mechanisms are possible. The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server. Notes ----- The specific example of authentication with RFC7523 would require "grant_type" value of "urn:ietf:params:oauth:grant-type:jwt-bearer", however this directly conflicts with RFC8693 as it requires "grant_type" value of "urn:ietf:params:oauth:grant-type:token-exchange". Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8693 (draft-ietf-oauth-token-exchange-19) -------------------------------------- Title : OAuth 2.0 Token Exchange Publication Date : January 2020 Author(s) : M. Jones, A. Nadalin, B. Campbell, Ed., J. Bradley, C. Mortimore Category : PROPOSED STANDARD Source : Web Authorization Protocol Area : Security Stream : IETF Verifying Party : IESG
- [OAUTH-WG] [Technical Errata Reported] RFC8693 (7… RFC Errata System
- Re: [OAUTH-WG] [Technical Errata Reported] RFC869… Aaron Parecki
- Re: [OAUTH-WG] [Technical Errata Reported] RFC869… Brian Campbell