Errata Search
RFC Number:		Errata ID:
Source of RFC		Status:	All/Any Verified+Reported Verified Reported Held for Document Update Rejected
Area Acronym:	All/Any app art gen int ops rai rtg sec tsv wit	Type:	All/Any Editorial Technical
WG Acronym:		Submitter Name:
Other:	All/Any IAB INDEPENDENT IRTF Legacy Editorial	Date Submitted:
Summary Table Full Records

Found 2 records.

No records found for status Verified.

-->

Status: Reported (1)

RFC 8252, "OAuth 2.0 for Native Apps", October 2017

Source of RFC: oauth (sec)

Errata ID: 8080
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Bryce Thomas
Date Reported: 2024-08-16

Section 6 and 7.1 says:

   Any redirect URI that allows
   the app to receive the URI and inspect its parameters is viable.

and

   When choosing a URI scheme to associate with the app, apps MUST use a
   URI scheme based on a domain name under their control, expressed in
   reverse order, as recommended by Section 3.8 of [RFC7595] for
   private-use URI schemes.

It should say:

   Any redirect URI that allows
   the app to receive the URI and inspect its parameters is viable.

and

   When choosing a URI scheme to associate with the app, apps SHOULD use a
   URI scheme based on a domain name under their control, expressed in
   reverse order, as recommended by Section 3.8 of [RFC7595] for

Notes:

These two statements appear to conflict. Suggest downgrading the section 7.1 text from MUST to SHOULD to resolve the conflict.

Status: Rejected (1)

RFC 8252, "OAuth 2.0 for Native Apps", October 2017

Source of RFC: oauth (sec)

Errata ID: 5848
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Bayard Bell
Date Reported: 2019-08-26
Rejected by: Benjamin Kaduk
Date Rejected: 2019-08-30

Section Appendix B.1 says:

Apps can initiate an authorization request in the browser, without
the user leaving the app, through the "SFSafariViewController" class
or its successor "SFAuthenticationSession", which implement the in-
app browser tab pattern.  Safari can be used to handle requests on
old versions of iOS without in-app browser tab functionality.

It should say:

Apps can initiate an authorization request in the browser, without
the user leaving the app, through the "ASWebAuthenticationSession"
class or its successors "SFAuthenticationSession" and
"SFSafariViewController", which implement the in-app browser tab
pattern.  The first of these allows calls to a handler registered
for the AS URL, consistent with Section 7.2. The latter two classes,
now deprecated, can use Safari to handle requests on old versions of
iOS without in-app browser tab functionality.

Notes:

SFAuthenticationSession documentation reflects deprecated status:

https://developer.apple.com/documentation/safariservices/sfauthenticationsession

Here's the documentation for ASWebAuthenticationSession:

https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
--VERIFIER NOTES--
This sort of change to update for events since the time of publication is not appropriate for an erratum; errata are intended solely to indicate errors in a document that were errors at the time of publication. A revision of the document or a new document with an "Updates:" relationship would be more appropriate ways to indicate that the situation has changed.

Report New Errata