The following errata report has been submitted for RFC8628, "OAuth 2.0 Device Authorization Grant".
-------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid5840 -------------------------------------- Type: Technical Reported by: Konstantin Lapine <konstantin.lap...@forgerock.com> Section: 5.2 Original Text ------------- An attacker who guesses the device code would be able to potentially obtain the authorization code once the user completes the flow. Corrected Text -------------- An attacker who guesses the device code would be able to potentially obtain the access token once the user completes the flow. Notes ----- The "authorization code" term is associated with Authorization Code Grant (defined in RFC 6749) and has the meaning of a temporary credential used by an OAuth 2.0 client to obtain the access token. Section 5.2 of RFC 8628 seems to refer to the steps of the device authorization flow during which the device code and the client identifier are exchanged for the access token (and the optional refresh token). Alternative correction: "An attacker who guesses the device code would be able to potentially obtain the access token and the optional refresh token once the user completes the flow." Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8628 (draft-ietf-oauth-device-flow-15) -------------------------------------- Title : OAuth 2.0 Device Authorization Grant Publication Date : August 2019 Author(s) : W. Denniss, J. Bradley, M. Jones, H. Tschofenig Category : PROPOSED STANDARD Source : Web Authorization Protocol Area : Security Stream : IETF Verifying Party : IESG _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
