The following errata report has been held for document update for RFC6749, "The OAuth 2.0 Authorization Framework".
-------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=3780 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: Torsten Lodderstedt <[email protected]> Date Reported: 2013-11-04 Held by: Kathleen Moriarty (IESG) Section: 3.2.1 Original Text ------------- A client MAY use the \\\\"client_id\\\\" request parameter to identify itself when sending requests to the token endpoint. Corrected Text -------------- A public client MAY use the \\\\"client_id\\\\" request parameter to identify itself when sending requests to the token endpoint. Notes ----- Note from AD: The provided link doesn\\'t exactly demonstrate consensus, but the change makes sense, hence this is marked \\"Hold for Document Update\\". >From Submitter: The current text may mislead confidential clients to sent >their client_id in the request body in addition to their client_id and >client_secret in the BASIC authz header. This leads to unnecessary duplication >and ambiguities. There has been consensus on the list that the intention of this sentence was to advise _public_ clients to identity themselves towards the token endpoint in order to mitigate substitution attacks and allow for logging. Confidential clients need to authenticate anyway, this sentence should be narrowed down to public clients only. see http://www.ietf.org/mail-archive/web/oauth/current/msg12005.html This issue was discovered in the course of the OpenID Connect Interop testings. -------------------------------------- RFC6749 (draft-ietf-oauth-v2-31) -------------------------------------- Title : The OAuth 2.0 Authorization Framework Publication Date : October 2012 Author(s) : D. Hardt, Ed. Category : PROPOSED STANDARD Source : Web Authorization Protocol Area : Security Stream : IETF Verifying Party : IESG _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
