Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
Alternatively if the appendix were as of a point in time but the github references were maintained, the warning that the RFC is a point-in-time while the github references will remain current lets you defer authoring an updated BCP RFC until there are much larger changes in mechanics. From: John Bradley Sent: Tuesday, August 27, 2019 6:52 AM To: William Denniss Cc: RFC Errata System ; Hannes Tschofenig ; Bayard Bell ; Benjamin Kaduk ; oauth ; Roman Danyliw ; rfc8...@ve7jtb.com; rfc8...@wdenniss.com; Rifaat Shekh-Yusef Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848) This is not really an eratta. Asome point we need to update the BCP with a updated RFC. Perhaps the time is now to start a new draft that can capture the changes in iOS, OSX and others. John B. On Mon, Aug 26, 2019, 10:46 PM William Denniss mailto:wdenn...@google.com>> wrote: Process-wise I'm not sure if errata should be used to capture changing implementation details like this. We expected the implementation details that we documented in the appendix to change, and explicitly stated that assumption. "The implementation details herein are considered accurate at the time of publishing but will likely change over time.". If updating those implementation details were in scope, then the proposed text should needs to be revised before being accepted due to some inaccuracies (e.g. SFSafariViewController is not a successor to ASWebAuthenticationSession). Best, William On Mon, Aug 26, 2019 at 12:04 PM RFC Errata System mailto:rfc-edi...@rfc-editor.org>> wrote: The following errata report has been submitted for RFC8252, "OAuth 2.0 for Native Apps". -- You may review the report below and at: https://www.rfc-editor.org/errata/eid5848 -- Type: Technical Reported by: Bayard Bell mailto:bayard.b...@twosigma.com>> Section: Appendix B.1 Original Text - Apps can initiate an authorization request in the browser, without the user leaving the app, through the "SFSafariViewController" class or its successor "SFAuthenticationSession", which implement the in- app browser tab pattern. Safari can be used to handle requests on old versions of iOS without in-app browser tab functionality. Corrected Text -- Apps can initiate an authorization request in the browser, without the user leaving the app, through the "ASWebAuthenticationSession" class or its successors "SFAuthenticationSession" and "SFSafariViewController", which implement the in-app browser tab pattern. The first of these allows calls to a handler registered for the AS URL, consistent with Section 7.2. The latter two classes, now deprecated, can use Safari to handle requests on old versions of iOS without in-app browser tab functionality. Notes - SFAuthenticationSession documentation reflects deprecated status: https://developer.apple.com/documentation/safariservices/sfauthenticationsession Here's the documentation for ASWebAuthenticationSession: https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession Instructions: - This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -- RFC8252 (draft-ietf-oauth-native-apps-12) -- Title : OAuth 2.0 for Native Apps Publication Date: October 2017 Author(s) : W. Denniss, J. Bradley Category: BEST CURRENT PRACTICE Source : Web Authorization Protocol Area: Security Stream : IETF Verifying Party : IESG ___ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
This is not really an eratta. Asome point we need to update the BCP with a updated RFC. Perhaps the time is now to start a new draft that can capture the changes in iOS, OSX and others. John B. On Mon, Aug 26, 2019, 10:46 PM William Denniss wrote: > Process-wise I'm not sure if errata should be used to capture changing > implementation details like this. We expected the implementation details > that we documented in the appendix to change, and explicitly stated that > assumption. "The implementation details herein are considered accurate at > the time of publishing but will likely change over time.". > > If updating those implementation details were in scope, then the proposed > text should needs to be revised before being accepted due to some > inaccuracies (e.g. SFSafariViewController is not a successor to > ASWebAuthenticationSession). > > Best, > William > > On Mon, Aug 26, 2019 at 12:04 PM RFC Errata System < > rfc-edi...@rfc-editor.org> wrote: > >> The following errata report has been submitted for RFC8252, >> "OAuth 2.0 for Native Apps". >> >> -- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid5848 >> >> -- >> Type: Technical >> Reported by: Bayard Bell >> >> Section: Appendix B.1 >> >> Original Text >> - >> Apps can initiate an authorization request in the browser, without >> the user leaving the app, through the "SFSafariViewController" class >> or its successor "SFAuthenticationSession", which implement the in- >> app browser tab pattern. Safari can be used to handle requests on >> old versions of iOS without in-app browser tab functionality. >> >> Corrected Text >> -- >> Apps can initiate an authorization request in the browser, without >> the user leaving the app, through the "ASWebAuthenticationSession" >> class or its successors "SFAuthenticationSession" and >> "SFSafariViewController", which implement the in-app browser tab >> pattern. The first of these allows calls to a handler registered >> for the AS URL, consistent with Section 7.2. The latter two classes, >> now deprecated, can use Safari to handle requests on old versions of >> iOS without in-app browser tab functionality. >> >> Notes >> - >> SFAuthenticationSession documentation reflects deprecated status: >> >> >> https://developer.apple.com/documentation/safariservices/sfauthenticationsession >> >> Here's the documentation for ASWebAuthenticationSession: >> >> >> https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession >> >> Instructions: >> - >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> can log in to change the status and edit the report, if necessary. >> >> -- >> RFC8252 (draft-ietf-oauth-native-apps-12) >> -- >> Title : OAuth 2.0 for Native Apps >> Publication Date: October 2017 >> Author(s) : W. Denniss, J. Bradley >> Category: BEST CURRENT PRACTICE >> Source : Web Authorization Protocol >> Area: Security >> Stream : IETF >> Verifying Party : IESG >> >> ___ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
Process-wise I'm not sure if errata should be used to capture changing implementation details like this. We expected the implementation details that we documented in the appendix to change, and explicitly stated that assumption. "The implementation details herein are considered accurate at the time of publishing but will likely change over time.". If updating those implementation details were in scope, then the proposed text should needs to be revised before being accepted due to some inaccuracies (e.g. SFSafariViewController is not a successor to ASWebAuthenticationSession). Best, William On Mon, Aug 26, 2019 at 12:04 PM RFC Errata System < rfc-edi...@rfc-editor.org> wrote: > The following errata report has been submitted for RFC8252, > "OAuth 2.0 for Native Apps". > > -- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid5848 > > -- > Type: Technical > Reported by: Bayard Bell > > Section: Appendix B.1 > > Original Text > - > Apps can initiate an authorization request in the browser, without > the user leaving the app, through the "SFSafariViewController" class > or its successor "SFAuthenticationSession", which implement the in- > app browser tab pattern. Safari can be used to handle requests on > old versions of iOS without in-app browser tab functionality. > > Corrected Text > -- > Apps can initiate an authorization request in the browser, without > the user leaving the app, through the "ASWebAuthenticationSession" > class or its successors "SFAuthenticationSession" and > "SFSafariViewController", which implement the in-app browser tab > pattern. The first of these allows calls to a handler registered > for the AS URL, consistent with Section 7.2. The latter two classes, > now deprecated, can use Safari to handle requests on old versions of > iOS without in-app browser tab functionality. > > Notes > - > SFAuthenticationSession documentation reflects deprecated status: > > > https://developer.apple.com/documentation/safariservices/sfauthenticationsession > > Here's the documentation for ASWebAuthenticationSession: > > > https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession > > Instructions: > - > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -- > RFC8252 (draft-ietf-oauth-native-apps-12) > -- > Title : OAuth 2.0 for Native Apps > Publication Date: October 2017 > Author(s) : W. Denniss, J. Bradley > Category: BEST CURRENT PRACTICE > Source : Web Authorization Protocol > Area: Security > Stream : IETF > Verifying Party : IESG > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] [Technical Errata Reported] RFC8252 (5848)
The following errata report has been submitted for RFC8252, "OAuth 2.0 for Native Apps". -- You may review the report below and at: https://www.rfc-editor.org/errata/eid5848 -- Type: Technical Reported by: Bayard Bell Section: Appendix B.1 Original Text - Apps can initiate an authorization request in the browser, without the user leaving the app, through the "SFSafariViewController" class or its successor "SFAuthenticationSession", which implement the in- app browser tab pattern. Safari can be used to handle requests on old versions of iOS without in-app browser tab functionality. Corrected Text -- Apps can initiate an authorization request in the browser, without the user leaving the app, through the "ASWebAuthenticationSession" class or its successors "SFAuthenticationSession" and "SFSafariViewController", which implement the in-app browser tab pattern. The first of these allows calls to a handler registered for the AS URL, consistent with Section 7.2. The latter two classes, now deprecated, can use Safari to handle requests on old versions of iOS without in-app browser tab functionality. Notes - SFAuthenticationSession documentation reflects deprecated status: https://developer.apple.com/documentation/safariservices/sfauthenticationsession Here's the documentation for ASWebAuthenticationSession: https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession Instructions: - This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -- RFC8252 (draft-ietf-oauth-native-apps-12) -- Title : OAuth 2.0 for Native Apps Publication Date: October 2017 Author(s) : W. Denniss, J. Bradley Category: BEST CURRENT PRACTICE Source : Web Authorization Protocol Area: Security Stream : IETF Verifying Party : IESG ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
