[OAUTH-WG] Small error in OAuth BCP and new 2.1 draft...
Pieter Philippaerts <pieter.philippaerts@kuleuven.be> Thu, 12 March 2020 13:35 UTC
Return-Path: <pieter.philippaerts@kuleuven.be>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F1D13A08AE for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 06:35:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sRqhBO6i4n7T for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 06:35:36 -0700 (PDT)
Received: from rhcavuit04.kulnet.kuleuven.be (rhcavuit04.kulnet.kuleuven.be [IPv6:2a02:2c40:0:c0::25:137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02F683A08A5 for <oauth@ietf.org>; Thu, 12 Mar 2020 06:35:35 -0700 (PDT)
X-KULeuven-Envelope-From: pieter.philippaerts@kuleuven.be
X-KULeuven-Scanned: Found to be clean
X-KULeuven-ID: EADAE120345.AD623
X-KULeuven-Information: Katholieke Universiteit Leuven
Received: from icts-p-smtps-1.cc.kuleuven.be (icts-p-smtps-1e.kulnet.kuleuven.be [134.58.240.33]) by rhcavuit04.kulnet.kuleuven.be (Postfix) with ESMTP id EADAE120345 for <oauth@ietf.org>; Thu, 12 Mar 2020 14:35:31 +0100 (CET)
Received: from ICTS-S-EXMBX2.luna.kuleuven.be (icts-s-exmbx2.luna.kuleuven.be [10.112.11.10]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by icts-p-smtps-1.cc.kuleuven.be (Postfix) with ESMTPS id DFB9A40B5 for <oauth@ietf.org>; Thu, 12 Mar 2020 14:35:31 +0100 (CET)
Received: from ICTS-S-EXMBX28.luna.kuleuven.be (10.112.11.63) by ICTS-S-EXMBX2.luna.kuleuven.be (10.112.11.10) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 12 Mar 2020 14:35:31 +0100
Received: from ICTS-S-EXMBX19.luna.kuleuven.be (10.112.11.50) by ICTS-S-EXMBX28.luna.kuleuven.be (10.112.11.63) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 12 Mar 2020 14:35:31 +0100
Received: from ICTS-S-EXMBX19.luna.kuleuven.be ([fe80::b0b6:d4f7:5b6e:2396]) by ICTS-S-EXMBX19.luna.kuleuven.be ([fe80::b0b6:d4f7:5b6e:2396%21]) with mapi id 15.00.1497.006; Thu, 12 Mar 2020 14:35:31 +0100
X-Kuleuven: This mail passed the K.U.Leuven mailcluster
From: Pieter Philippaerts <pieter.philippaerts@kuleuven.be>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Small error in OAuth BCP and new 2.1 draft...
Thread-Index: AQHV+HMZ9PlHPoCXbEm/2RI7JRFbKg==
Date: Thu, 12 Mar 2020 13:35:31 +0000
Message-ID: <7864a74e108141ba9b4a3184c7515d2a@ICTS-S-EXMBX19.luna.kuleuven.be>
Accept-Language: en-US, nl-BE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.112.50.1]
Content-Type: multipart/alternative; boundary="_000_7864a74e108141ba9b4a3184c7515d2aICTSSEXMBX19lunakuleuve_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uyc2LfjZ1B8ScQQVBusAkw3zPGc>
Subject: [OAUTH-WG] Small error in OAuth BCP and new 2.1 draft...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 13:35:39 -0000
Hi everyone,
I hope this is the right mailing list to submit mistakes in the OAuth specifications...
I was reading through the latest version of the OAuth 2.0 Security Best Current Practice (version 14) and noticed a very small error. Section 2.1.1 reads: "To this end, they MUST either (a) publish the element "code_challenge_methods_supported" in their AS metadata ([RFC8418])?...", but the reference to RFC8418 is wrong. RFC8418 is totally unrelated to OAuth2 or AS metadata. I believe you wanted to link to RFC8414 ("OAuth 2.0 Authorization Server Metadata").
The new OAuth 2.1 draft has the same text (and wrong reference) in section 9.7.
Kind regards,
Pieter
- [OAUTH-WG] Small error in OAuth BCP and new 2.1 d… Pieter Philippaerts
- Re: [OAUTH-WG] Small error in OAuth BCP and new 2… Daniel Fett