IETF Logo Mail Archive

[OAUTH-WG] Ignoring unrecognized request parameters

Mike Jones <Michael.Jones@microsoft.com> Thu, 16 February 2012 18:16 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E848721F887C for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 10:16:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.26
X-Spam-Level:
X-Spam-Status: No, score=-5.26 tagged_above=-999 required=5 tests=[AWL=1.338, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUGLMSPqPAfs for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 10:16:24 -0800 (PST)
Received: from TX2EHSOBE002.bigfish.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id DA1C921F8860 for <oauth@ietf.org>; Thu, 16 Feb 2012 10:16:23 -0800 (PST)
Received: from mail85-tx2-R.bigfish.com (10.9.14.236) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Thu, 16 Feb 2012 18:16:23 +0000
Received: from mail85-tx2 (localhost [127.0.0.1]) by mail85-tx2-R.bigfish.com (Postfix) with ESMTP id 2B0BE4A0294 for <oauth@ietf.org>; Thu, 16 Feb 2012 18:16:23 +0000 (UTC)
X-SpamScore: -24
X-BigFish: VS-24(zzc85fh4015Lzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail85-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail85-tx2 (localhost.localdomain [127.0.0.1]) by mail85-tx2 (MessageSwitch) id 1329416181439551_14417; Thu, 16 Feb 2012 18:16:21 +0000 (UTC)
Received: from TX2EHSMHS023.bigfish.com (unknown [10.9.14.235]) by mail85-tx2.bigfish.com (Postfix) with ESMTP id 5C463380275 for <oauth@ietf.org>; Thu, 16 Feb 2012 18:16:21 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS023.bigfish.com (10.9.99.123) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 16 Feb 2012 18:16:17 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.12]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0247.005; Thu, 16 Feb 2012 10:16:05 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Ignoring unrecognized request parameters
Thread-Index: Aczs1wtn/6RuTd6FSU2gMdrvLPHe9Q==
Date: Thu, 16 Feb 2012 18:16:04 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943663A7EA2@TK5EX14MBXC284.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.70]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943663A7EA2TK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: [OAUTH-WG] Ignoring unrecognized request parameters
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2012 18:16:28 -0000

In core -23, the last paragraph of section 3.1<http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-3.1> now says:

                The authorization server MUST ignore unrecognized request parameters.

In -22, this said:

                The authorization server SHOULD ignore unrecognized request parameters.

In a security protocol, it seems unreasonable to require that information be ignored.  As I see it, it SHOULD be legal to return an error if unrecognized information is received.

Why the change?  And can we please have it changed back to SHOULD in -24?

                                                                Thanks,
                                                                -- Mike

v2.14.0 | Report a Bug | By Email