This looks correct to me, so I'll mark it as verified. -Ben
On Tue, Apr 09, 2019 at 03:02:46PM -0700, RFC Errata System wrote: > The following errata report has been submitted for RFC7636, > "Proof Key for Code Exchange by OAuth Public Clients". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata/eid5687 > > -------------------------------------- > Type: Technical > Reported by: Collin Sauve <collinsa...@gmail.com> > > Section: 5 > > Original Text > ------------- > Server implementations of this specification MAY accept OAuth2.0 > clients that do not implement this extension. If the "code_verifier" > is not received from the client in the Authorization Request, servers > supporting backwards compatibility revert to the OAuth 2.0 [RFC6749] > protocol without this extension. > > As the OAuth 2.0 [RFC6749] server responses are unchanged by this > specification, client implementations of this specification do not > need to know if the server has implemented this specification or not > and SHOULD send the additional parameters as defined in Section 4 to > all servers. > > > Corrected Text > -------------- > Server implementations of this specification MAY accept OAuth2.0 > clients that do not implement this extension. If the "code_challenge" > is not received from the client in the Authorization Request, servers > supporting backwards compatibility revert to the OAuth 2.0 [RFC6749] > protocol without this extension. > > As the OAuth 2.0 [RFC6749] server responses are unchanged by this > specification, client implementations of this specification do not > need to know if the server has implemented this specification or not > and SHOULD send the additional parameters as defined in Section 4 to > all servers. > > > Notes > ----- > The code_verifier is not sent in the authorization request. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC7636 (draft-ietf-oauth-spop-15) > -------------------------------------- > Title : Proof Key for Code Exchange by OAuth Public Clients > Publication Date : September 2015 > Author(s) : N. Sakimura, Ed., J. Bradley, N. Agarwal > Category : PROPOSED STANDARD > Source : Web Authorization Protocol > Area : Security > Stream : IETF > Verifying Party : IESG _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
