Re: [OAUTH-WG] Ignoring unrecognized request parameters

Mike Jones <Michael.Jones@microsoft.com> Thu, 16 February 2012 18:22 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D9CC21F841B for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 10:22:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.793
X-Spam-Level:
X-Spam-Status: No, score=-3.793 tagged_above=-999 required=5 tests=[AWL=-0.195, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gKSrDisvinUZ for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 10:22:30 -0800 (PST)
Received: from DB3EHSOBE001.bigfish.com (db3ehsobe002.messaging.microsoft.com [213.199.154.140]) by ietfa.amsl.com (Postfix) with ESMTP id CA35821F8715 for <oauth@ietf.org>; Thu, 16 Feb 2012 10:22:29 -0800 (PST)
Received: from mail107-db3-R.bigfish.com (10.3.81.229) by DB3EHSOBE001.bigfish.com (10.3.84.21) with Microsoft SMTP Server id 14.1.225.23; Thu, 16 Feb 2012 18:22:29 +0000
Received: from mail107-db3 (localhost [127.0.0.1]) by mail107-db3-R.bigfish.com (Postfix) with ESMTP id BCA0E4054F for <oauth@ietf.org>; Thu, 16 Feb 2012 18:22:28 +0000 (UTC)
X-SpamScore: -25
X-BigFish: VS-25(zz9371Ic85fh4015Lzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail107-db3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC101.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail107-db3 (localhost.localdomain [127.0.0.1]) by mail107-db3 (MessageSwitch) id 1329416546933822_8732; Thu, 16 Feb 2012 18:22:26 +0000 (UTC)
Received: from DB3EHSMHS015.bigfish.com (unknown [10.3.81.248]) by mail107-db3.bigfish.com (Postfix) with ESMTP id D64762004B for <oauth@ietf.org>; Thu, 16 Feb 2012 18:22:26 +0000 (UTC)
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.8) by DB3EHSMHS015.bigfish.com (10.3.87.115) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 16 Feb 2012 18:22:23 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.12]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0247.005; Thu, 16 Feb 2012 10:22:10 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Ignoring unrecognized request parameters
Thread-Index: Aczs1wtn/6RuTd6FSU2gMdrvLPHe9QAAJ0OQ
Date: Thu, 16 Feb 2012 18:22:09 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943663A7F0E@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943663A7EA2@TK5EX14MBXC284.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943663A7EA2@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.70]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943663A7F0ETK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [OAUTH-WG] Ignoring unrecognized request parameters
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2012 18:22:38 -0000

And same change requested in 3.2 4.1.2, and 4.2.2, which also require ignoring unrecognized parameters.

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Thursday, February 16, 2012 10:16 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Ignoring unrecognized request parameters

In core -23, the last paragraph of section 3.1<http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1> now says:

                The authorization server MUST ignore unrecognized request parameters.

In -22, this said:

                The authorization server SHOULD ignore unrecognized request parameters.

In a security protocol, it seems unreasonable to require that information be ignored.  As I see it, it SHOULD be legal to return an error if unrecognized information is received.

Why the change?  And can we please have it changed back to SHOULD in -24?

                                                                Thanks,
                                                                -- Mike