On Wed, Oct 13, 2010 at 2:00 PM, Paul Tarjan <[email protected]> wrote: >> >>> At Facebook we issue an HTTP 400 with "invalid_request" as the error. >>> http://graph.facebook.com/me?access_token=blah&client_id=150629244948164 >>> (the client_id is to enable draft-10 error messaging). >> >> Without client_id you get a different error message (JSON as well, but >> not OAuth2 compliant). Why do you need this parameter to make the >> distinction? > > Backwards compatibility. When we shipped, OAuth2 was at draft 00 and there > was no standard error mechanism. So we invented one that isn't compatible > with the current error codes (our key "error" was an array, and the current > one is a "string" so we can't just send both). > > When the spec finalizes, we'll do a single migration and change the default > to be the final format (and all other non-backwards compatible changes).
Got it, thanks. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
