Can we get some clarification into the spec as to whether optional parameters can be present but empty? Particularly parameters such as tokens that obviously cannot be meaningful when having an empty value. This was a muddy issue in the OpenID spec, where some implementations would include empty parameters rather than just omitting them, breaking other implementations that would expect that if the parameter is present it ought to have a meaningful value.
My own vote: parameters must have valid values (non-empty) if they are present, unless they are opaque strings (like client state) that the remote party doesn't have to do anything but imitate back anyway. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
