And same change requested in 3.2 4.1.2, and 4.2.2, which also require ignoring unrecognized parameters.
From: [email protected] [mailto:[email protected]] On Behalf Of Mike Jones Sent: Thursday, February 16, 2012 10:16 AM To: [email protected] Subject: [OAUTH-WG] Ignoring unrecognized request parameters In core -23, the last paragraph of section 3.1<http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1> now says: The authorization server MUST ignore unrecognized request parameters. In -22, this said: The authorization server SHOULD ignore unrecognized request parameters. In a security protocol, it seems unreasonable to require that information be ignored. As I see it, it SHOULD be legal to return an error if unrecognized information is received. Why the change? And can we please have it changed back to SHOULD in -24? Thanks, -- Mike
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
