In core -23, the last paragraph of section
3.1<http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1> now says:
The authorization server MUST ignore unrecognized request
parameters.
In -22, this said:
The authorization server SHOULD ignore unrecognized request
parameters.
In a security protocol, it seems unreasonable to require that information be
ignored. As I see it, it SHOULD be legal to return an error if unrecognized
information is received.
Why the change? And can we please have it changed back to SHOULD in -24?
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
