I believe this errata should be rejected. Section 7.1 is one of the three options listed in section 7: private URI scheme, claimed-https URLs, and loopback. The text in question is describing the requirement for the private URI scheme option. If the app is using private URI schemes, then it is correct that the private URI scheme MUST have the requirements listed.
Aaron On Fri, Aug 16, 2024 at 4:58 PM RFC Errata System <rfc-edi...@rfc-editor.org> wrote: > The following errata report has been submitted for RFC8252, > "OAuth 2.0 for Native Apps". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid8080 > > -------------------------------------- > Type: Technical > Reported by: Bryce Thomas <bryce.m.tho...@gmail.com> > > Section: 6 and 7.1 > > Original Text > ------------- > > Any redirect URI that allows > the app to receive the URI and inspect its parameters is viable. > > and > > > When choosing a URI scheme to associate with the app, apps MUST use a > URI scheme based on a domain name under their control, expressed in > reverse order, as recommended by Section 3.8 of [RFC7595] for > private-use URI schemes. > > These two statements appear to conflict. > > Corrected Text > -------------- > > Any redirect URI that allows > the app to receive the URI and inspect its parameters is viable. > > and > > > When choosing a URI scheme to associate with the app, apps SHOULD use a > URI scheme based on a domain name under their control, expressed in > reverse order, as recommended by Section 3.8 of [RFC7595] for > > Notes > ----- > Suggest downgrading the section 7.1 text from MUST to SHOULD to resolve > the conflict. > > Instructions: > ------------- > This erratum is currently posted as "Reported". (If it is spam, it > will be removed shortly by the RFC Production Center.) Please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > will log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC8252 (draft-ietf-oauth-native-apps-12) > -------------------------------------- > Title : OAuth 2.0 for Native Apps > Publication Date : October 2017 > Author(s) : W. Denniss, J. Bradley > Category : BEST CURRENT PRACTICE > Source : Web Authorization Protocol > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
