No, this is required for forward compatibility. Implementations that send
extended parameters like capability advertisements (i.e. CAPTCHA support or
something) shoudl not be broken hitting older implementations.
________________________________
From: Mike Jones <[email protected]>
To: "[email protected]" <[email protected]>
Sent: Thursday, February 16, 2012 10:16 AM
Subject: [OAUTH-WG] Ignoring unrecognized request parameters
In core -23, the last paragraph of section 3.1 now says:
The authorization server MUST ignore unrecognized request
parameters.
In -22, this said:
The authorization server SHOULD ignore unrecognized request
parameters.
In a security protocol, it seems unreasonable to require that information be
ignored. As I see it, it SHOULD be legal to return an error if unrecognized
information is received.
Why the change? And can we please have it changed back to SHOULD in -24?
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
