The following errata report has been submitted for RFC6749, "The OAuth 2.0 Authorization Framework".
-------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3780 -------------------------------------- Type: Technical Reported by: Torsten Lodderstedt <[email protected]> Section: 3.2.1 Original Text ------------- A client MAY use the "client_id" request parameter to identify itself when sending requests to the token endpoint. Corrected Text -------------- A public client MAY use the "client_id" request parameter to identify itself when sending requests to the token endpoint. Notes ----- The current text may mislead confidential clients to sent their client_id in the request body in addition to their client_id and client_secret in the BASIC authz header. This leads to unnecessary duplication and ambiguities. There has been consensus on the list that the intention of this sentence was to advise _public_ clients to identity themselves towards the token endpoint in order to mitigate substitution attacks and allow for logging. Confidential clients need to authenticate anyway, this sentence should be narrowed down to public clients only. see http://www.ietf.org/mail-archive/web/oauth/current/msg12005.html This issue was discovered in the course of the OpenID Connect Interop testings. Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6749 (draft-ietf-oauth-v2-31) -------------------------------------- Title : The OAuth 2.0 Authorization Framework Publication Date : October 2012 Author(s) : D. Hardt, Ed. Category : PROPOSED STANDARD Source : Web Authorization Protocol Area : Security Stream : IETF Verifying Party : IESG _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
