> >> At Facebook we issue an HTTP 400 with "invalid_request" as the error. >> http://graph.facebook.com/me?access_token=blah&client_id=150629244948164 >> (the client_id is to enable draft-10 error messaging). > > Without client_id you get a different error message (JSON as well, but > not OAuth2 compliant). Why do you need this parameter to make the > distinction?
Backwards compatibility. When we shipped, OAuth2 was at draft 00 and there was no standard error mechanism. So we invented one that isn't compatible with the current error codes (our key "error" was an array, and the current one is a "string" so we can't just send both). When the spec finalizes, we'll do a single migration and change the default to be the final format (and all other non-backwards compatible changes). Paul _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
