[OAUTH-WG] [Technical Errata Reported] RFC6749 (3780)

RFC Errata System <rfc-editor@rfc-editor.org> Mon, 04 November 2013 16:20 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 557CF21F9D7A for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 08:20:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=0.168, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Wgn7j03o7002 for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 08:20:41 -0800 (PST)
Received: from rfc-editor.org (unknown [IPv6:2001:1890:123a::1:2f]) by ietfa.amsl.com (Postfix) with ESMTP id 597E511E81E1 for <oauth@ietf.org>; Mon, 4 Nov 2013 08:20:24 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 30) id E102975E012; Mon, 4 Nov 2013 08:10:54 -0800 (PST)
To: dick.hardt@gmail.com, stephen.farrell@cs.tcd.ie, turners@ieca.com, Hannes.Tschofenig@gmx.net, derek@ihtfp.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20131104161054.E102975E012@rfc-editor.org>
Date: Mon, 04 Nov 2013 08:10:54 -0800
Cc: oauth@ietf.org, rfc-editor@rfc-editor.org
Subject: [OAUTH-WG] [Technical Errata Reported] RFC6749 (3780)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 16:20:42 -0000

The following errata report has been submitted for RFC6749,
"The OAuth 2.0 Authorization Framework".

You may review the report below and at:

Type: Technical
Reported by: Torsten Lodderstedt <torsten@lodderstedt.net>

Section: 3.2.1

Original Text
A client MAY use the "client_id" request parameter to identify itself
   when sending requests to the token endpoint.

Corrected Text
A public client MAY use the "client_id" request parameter to identify 
itself when sending requests to the token endpoint.

The current text may mislead confidential clients to sent their client_id in the request body in addition to their client_id and client_secret in the BASIC authz header. This leads to unnecessary duplication and ambiguities. 

There has been consensus on the list that the intention of this sentence was to advise _public_ clients to identity themselves towards the token endpoint in order to mitigate substitution attacks and allow for logging. Confidential clients need to authenticate anyway, this sentence should be narrowed down to public clients only. 

see http://www.ietf.org/mail-archive/web/oauth/current/msg12005.html

This issue was discovered in the course of the OpenID Connect Interop testings.

This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

RFC6749 (draft-ietf-oauth-v2-31)
Title               : The OAuth 2.0 Authorization Framework
Publication Date    : October 2012
Author(s)           : D. Hardt, Ed.
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG