[OAUTH-WG] [Technical Errata Reported] RFC6749 (5793)

RFC Errata System <rfc-editor@rfc-editor.org> Thu, 25 July 2019 22:44 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id ECAC7120226 for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 15:44:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9bkzm52RcHw0 for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 15:44:00 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 463F01201D1 for <oauth@ietf.org>; Thu, 25 Jul 2019 15:44:00 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id D4E11B82097; Thu, 25 Jul 2019 15:43:47 -0700 (PDT)
To: dick.hardt@gmail.com, rdd@cert.org, kaduk@mit.edu, Hannes.Tschofenig@gmx.net, rifaat.ietf@gmail.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: martin@martinmay.net, oauth@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20190725224347.D4E11B82097@rfc-editor.org>
Date: Thu, 25 Jul 2019 15:43:47 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/upWkKBXWQdyO4yZjzPVW8kgBlBE>
Subject: [OAUTH-WG] [Technical Errata Reported] RFC6749 (5793)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 22:44:02 -0000

The following errata report has been submitted for RFC6749,
"The OAuth 2.0 Authorization Framework".

You may review the report below and at:

Type: Technical
Reported by: Martin May <martin@martinmay.net>;

Section: 2.3.1

Original Text
   Alternatively, the authorization server MAY support including the
   client credentials in the request-body using the following

Corrected Text
   In addition to that, the authorization server MAY support including
   the client credentials in the request-body using the following

Given that the authorization MUST support the HTTP Basic authentication scheme in the paragraphs just before this one, using the word "alternatively" here can be understood as "instead of", which is not the intention and can lead to confusion for implementors.

This intention is further highlighted by the use of the word MAY in the paragraph above.

This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

RFC6749 (draft-ietf-oauth-v2-31)
Title               : The OAuth 2.0 Authorization Framework
Publication Date    : October 2012
Author(s)           : D. Hardt, Ed.
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG