+1 Yes, forward compatibility and extensions will be broken if unrecognized params are not allowed.
Marius On Thu, Feb 16, 2012 at 10:32 AM, William Mills <[email protected]> wrote: > No, this is required for forward compatibility. Implementations that send > extended parameters like capability advertisements (i.e. CAPTCHA support or > something) shoudl not be broken hitting older implementations. > > ________________________________ > From: Mike Jones <[email protected]> > To: "[email protected]" <[email protected]> > Sent: Thursday, February 16, 2012 10:16 AM > Subject: [OAUTH-WG] Ignoring unrecognized request parameters > > In core -23, the last paragraph of section 3.1 now says: > > The authorization server MUST ignore unrecognized request > parameters. > > In -22, this said: > > The authorization server SHOULD ignore unrecognized request > parameters. > > In a security protocol, it seems unreasonable to require that information be > ignored. As I see it, it SHOULD be legal to return an error if unrecognized > information is received. > > Why the change? And can we please have it changed back to SHOULD in -24? > > Thanks, > -- Mike > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
