I agree with this errata, it should have been "authorization code". This sentence was also removed from OAuth 2.1, since the PKCE code challenge/code verifier mechanism is a more complete protection against authorization code substitution.
Aaron On Tue, Sep 5, 2023 at 6:00 AM RFC Errata System <rfc-edi...@rfc-editor.org> wrote: > The following errata report has been submitted for RFC6749, > "The OAuth 2.0 Authorization Framework". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7631 > > -------------------------------------- > Type: Editorial > Reported by: Daiki Usami <daiu...@icloud.com> > > Section: 3.2.1 > > Original Text > ------------- > This protects the client from substitution of the authentication code. > > Corrected Text > -------------- > This protects the client from substitution of the authorization code. > > Notes > ----- > It will be a bit confusing to figure out if it is a MAC or an > authorization code. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC6749 (draft-ietf-oauth-v2-31) > -------------------------------------- > Title : The OAuth 2.0 Authorization Framework > Publication Date : October 2012 > Author(s) : D. Hardt, Ed. > Category : PROPOSED STANDARD > Source : Web Authorization Protocol > Area : Security > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
