[OAUTH-WG] [Errata Held for Document Update] RFC6749 (3780)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 08 December 2015 15:13 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 0D04C1B2EF1; Tue, 8 Dec 2015 07:13:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.912
X-Spam-Status: No, score=-106.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id VC1wOmUnIs5a; Tue, 8 Dec 2015 07:13:04 -0800 (PST)
Received: from rfc-editor.org (rfc-editor.org []) by ietfa.amsl.com (Postfix) with ESMTP id 7C0401B2ECD; Tue, 8 Dec 2015 07:13:04 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 30) id 296B4180094; Tue, 8 Dec 2015 07:11:02 -0800 (PST)
To: torsten@lodderstedt.net, dick.hardt@gmail.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20151208151102.296B4180094@rfc-editor.org>
Date: Tue, 08 Dec 2015 07:11:02 -0800
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/zC-5Rixryaz-vz-VqKM-BYhprqo>
Cc: rfc-editor@rfc-editor.org, Kathleen.Moriarty@emc.com, iesg@ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] [Errata Held for Document Update] RFC6749 (3780)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2015 15:13:06 -0000

The following errata report has been held for document update 
for RFC6749, "The OAuth 2.0 Authorization Framework". 

You may review the report below and at:

Status: Held for Document Update
Type: Technical

Reported by: Torsten Lodderstedt <torsten@lodderstedt.net>
Date Reported: 2013-11-04
Held by: Kathleen Moriarty (IESG)

Section: 3.2.1

Original Text
A client MAY use the \\\\"client_id\\\\" request parameter to identify itself
   when sending requests to the token endpoint.

Corrected Text
A public client MAY use the \\\\"client_id\\\\" request parameter to identify 
itself when sending requests to the token endpoint.

Note from AD: The provided link doesn\\'t exactly demonstrate consensus, but the change makes sense, hence this is marked \\"Hold for Document Update\\".

>From Submitter: The current text may mislead confidential clients to sent their client_id in the request body in addition to their client_id and client_secret in the BASIC authz header. This leads to unnecessary duplication and ambiguities. 

There has been consensus on the list that the intention of this sentence was to advise _public_ clients to identity themselves towards the token endpoint in order to mitigate substitution attacks and allow for logging. Confidential clients need to authenticate anyway, this sentence should be narrowed down to public clients only. 

see http://www.ietf.org/mail-archive/web/oauth/current/msg12005.html

This issue was discovered in the course of the OpenID Connect Interop testings.

RFC6749 (draft-ietf-oauth-v2-31)
Title               : The OAuth 2.0 Authorization Framework
Publication Date    : October 2012
Author(s)           : D. Hardt, Ed.
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG