Section 3.1 of RFC 6749 says (of the authorization endpoint):

The authorization server MUST ignore
   unrecognized request parameters.

We hoped to be able to use this to opportunistically apply PKCE - always send a 
code_challenge in the hope that the AS supports it and there should be no harm 
if it doesn’t. 

Sadly I learned yesterday of yet another public AS that fails hard if the 
request contains unrecognised parameters. It appears this part of the spec is 
widely ignored. 

Given that this hampers the ability to add new request parameters in future, do 
we need our own GREASE to prevent these joints rusting tight?
https://www.rfc-editor.org/rfc/rfc8701.html

— Neil
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to