+1
On 02/16/2012 10:45 AM, Marius Scurtescu wrote:
+1
Yes, forward compatibility and extensions will be broken if
unrecognized params are not allowed.
Marius
On Thu, Feb 16, 2012 at 10:32 AM, William Mills<[email protected]> wrote:
No, this is required for forward compatibility. Implementations that send
extended parameters like capability advertisements (i.e. CAPTCHA support or
something) shoudl not be broken hitting older implementations.
________________________________
From: Mike Jones<[email protected]>
To: "[email protected]"<[email protected]>
Sent: Thursday, February 16, 2012 10:16 AM
Subject: [OAUTH-WG] Ignoring unrecognized request parameters
In core -23, the last paragraph of section 3.1 now says:
The authorization server MUST ignore unrecognized request
parameters.
In -22, this said:
The authorization server SHOULD ignore unrecognized request
parameters.
In a security protocol, it seems unreasonable to require that information be
ignored. As I see it, it SHOULD be legal to return an error if unrecognized
information is received.
Why the change? And can we please have it changed back to SHOULD in -24?
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
