[OAUTH-WG] [Technical Errata Reported] RFC7636 (5687)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 09 April 2019 22:02 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6094C12047D for <oauth@ietfa.amsl.com>; Tue, 9 Apr 2019 15:02:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ga2fBE8NJUyX for <oauth@ietfa.amsl.com>; Tue, 9 Apr 2019 15:02:50 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4871D120496 for <oauth@ietf.org>; Tue, 9 Apr 2019 15:02:50 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 5100EB80458; Tue, 9 Apr 2019 15:02:46 -0700 (PDT)
To: n-sakimura@nri.co.jp, ve7jtb@ve7jtb.com, naa@google.com, rdd@cert.org, kaduk@mit.edu, Hannes.Tschofenig@gmx.net, rifaat.ietf@gmail.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: collinsauve@gmail.com, oauth@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20190409220246.5100EB80458@rfc-editor.org>
Date: Tue, 9 Apr 2019 15:02:46 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WynKKb0yMRT6NJQWTB_WEUpZMCo>
Subject: [OAUTH-WG] [Technical Errata Reported] RFC7636 (5687)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2019 22:02:55 -0000

The following errata report has been submitted for RFC7636,
"Proof Key for Code Exchange by OAuth Public Clients".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5687

--------------------------------------
Type: Technical
Reported by: Collin Sauve <collinsauve@gmail.com>

Section: 5

Original Text
-------------
Server implementations of this specification MAY accept OAuth2.0
clients that do not implement this extension.  If the "code_verifier"
is not received from the client in the Authorization Request, servers
supporting backwards compatibility revert to the OAuth 2.0 [RFC6749]
protocol without this extension.

As the OAuth 2.0 [RFC6749] server responses are unchanged by this
specification, client implementations of this specification do not
need to know if the server has implemented this specification or not
and SHOULD send the additional parameters as defined in Section 4 to
all servers.


Corrected Text
--------------
Server implementations of this specification MAY accept OAuth2.0
clients that do not implement this extension.  If the "code_challenge"
is not received from the client in the Authorization Request, servers
supporting backwards compatibility revert to the OAuth 2.0 [RFC6749]
protocol without this extension.

As the OAuth 2.0 [RFC6749] server responses are unchanged by this
specification, client implementations of this specification do not
need to know if the server has implemented this specification or not
and SHOULD send the additional parameters as defined in Section 4 to
all servers.


Notes
-----
The code_verifier is not sent in the authorization request.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC7636 (draft-ietf-oauth-spop-15)
--------------------------------------
Title               : Proof Key for Code Exchange by OAuth Public Clients
Publication Date    : September 2015
Author(s)           : N. Sakimura, Ed., J. Bradley, N. Agarwal
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG