This errata appears to be wrong. Whilst the chart below the heading 1.5 Refresh token does issue the refresh token in step B, that diagram is labeled Figure 2. Step D in Figure 1 is actually the access token response.
If anything, we could amend the text to read: it is included when issuing an access token (i.e., step (D) in Figure 1 above). (Adding the word above to avoid people referencing the wrong diagram incorrectly) Yours, Emelia Smith > On 28. Jan 2026, at 14:22, RFC Errata System <[email protected]> > wrote: > > The following errata report has been submitted for RFC6749, > "The OAuth 2.0 Authorization Framework". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid8722 > > -------------------------------------- > Type: Technical > Reported by: Martin Ottenwaelter <[email protected]> > > Section: 1.5 > > Original Text > ------------- > If the authorization server issues a refresh token, it is included when > issuing an access token (i.e., step (D) in Figure 1). > > > Corrected Text > -------------- > If the authorization server issues a refresh token, it is included when > issuing an access token (i.e., step (B) in Figure 1). > > > Notes > ----- > The authorization server issues a refresh token in step (B) in Figure 1), not > in step (D). > > Instructions: > ------------- > This erratum is currently posted as "Reported". (If it is spam, it > will be removed shortly by the RFC Production Center.) Please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > will log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6749 (draft-ietf-oauth-v2-31) > -------------------------------------- > Title : The OAuth 2.0 Authorization Framework > Publication Date : October 2012 > Author(s) : D. Hardt, Ed. > Category : PROPOSED STANDARD > Source : Web Authorization Protocol > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
