The following errata report has been submitted for RFC6749, "The OAuth 2.0 Authorization Framework".
-------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5332 -------------------------------------- Type: Technical Reported by: Donald F Coffin <[email protected]> Section: 4.1 Original Text ------------- (B) The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. Corrected Text -------------- (B) The authorization server validates the request to ensure that all required parameters are present and valid. If the request is valid, the authorization server authenticates the resource owner and obtains an authorization decision (by asking the resource owner via the user-agent or by use of other established approval means). Notes ----- "Section 4.1 Authorization Code Grant (B)" conflicts with "Section 4.1.1 Authorization Request". The current verbiage implies the resource owner should be authenticated prior to "The authorization server validates the request to ensure that all required parameters are present and valid". Such implementations lead to overly complex user experiences when the Authorization Server determines the request is invalid. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6749 (draft-ietf-oauth-v2-31) -------------------------------------- Title : The OAuth 2.0 Authorization Framework Publication Date : October 2012 Author(s) : D. Hardt, Ed. Category : PROPOSED STANDARD Source : Web Authorization Protocol Area : Security Stream : IETF Verifying Party : IESG _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
