[OAUTH-WG] [Technical Errata Reported] RFC6749 (5332)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 24 April 2018 14:33 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id BA5BE12D7F6 for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2018 07:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 317RvTZTzWa6 for <oauth@ietfa.amsl.com>; Tue, 24 Apr 2018 07:33:18 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6106712DFDB for <oauth@ietf.org>; Tue, 24 Apr 2018 07:32:55 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 90DABB82844; Tue, 24 Apr 2018 07:32:38 -0700 (PDT)
To: dick.hardt@gmail.com, kaduk@mit.edu, ekr@rtfm.com, Hannes.Tschofenig@gmx.net, rifaat.ietf@gmail.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: donald.coffin@reminetworks.com, oauth@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20180424143238.90DABB82844@rfc-editor.org>
Date: Tue, 24 Apr 2018 07:32:38 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cu_v-uxexKm0RN5ActUA2utl73Y>
Subject: [OAUTH-WG] [Technical Errata Reported] RFC6749 (5332)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 14:33:20 -0000

The following errata report has been submitted for RFC6749,
"The OAuth 2.0 Authorization Framework".

You may review the report below and at:

Type: Technical
Reported by: Donald F Coffin <donald.coffin@reminetworks.com>

Section: 4.1

Original Text
(B)  The authorization server authenticates the resource owner (via
     the user-agent) and establishes whether the resource owner
     grants or denies the client's access request.

Corrected Text
(B)  The authorization server validates the request to ensure that 
     all required parameters are present and valid.  If the request 
     is valid, the authorization server authenticates the resource 
     owner and obtains an authorization decision (by asking the 
     resource owner via the user-agent or by use of other 
     established approval means).

"Section 4.1 Authorization Code Grant (B)" conflicts with "Section 4.1.1 Authorization
Request".  The current verbiage implies the resource owner should be authenticated 
prior to "The authorization server validates the request to ensure that all required 
parameters are present and valid".  Such implementations lead to overly complex 
user experiences when the Authorization Server determines the request is invalid.

This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

RFC6749 (draft-ietf-oauth-v2-31)
Title               : The OAuth 2.0 Authorization Framework
Publication Date    : October 2012
Author(s)           : D. Hardt, Ed.
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG