Re: [OAUTH-WG] Ignoring unrecognized request parameters
Marius Scurtescu <mscurtescu@google.com> Thu, 16 February 2012 18:45 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A7D11E8074 for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 10:45:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPWD2fnQqyUE for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 10:45:22 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id D66ED11E8087 for <oauth@ietf.org>; Thu, 16 Feb 2012 10:45:21 -0800 (PST)
Received: by yenm3 with SMTP id m3so1651875yen.31 for <oauth@ietf.org>; Thu, 16 Feb 2012 10:45:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=/kv3cBPqccqDWd3vGf0N6MuIC7Q9E0bUR/GxJmmfBT4=; b=pG7YZkw6zZV4CAuRmQG1yGRZyaf3pKujDDeJrcV6tvTE8vRApKGL/eOm5fJ1eH2XEJ ZVQdsSfXnMDrCE9M7fEAF7ob2DLkGLPmT3qY6i/ceW8ngY8+Rpr11UjQZ9zGZDTwNAa5 Qiqpnq40S3LLucqzMGmGjN6p9aocEQsYIDHJI=
Received: by 10.236.201.230 with SMTP id b66mr5112775yho.82.1329417921377; Thu, 16 Feb 2012 10:45:21 -0800 (PST)
Received: by 10.236.201.230 with SMTP id b66mr5112755yho.82.1329417921290; Thu, 16 Feb 2012 10:45:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.55.23 with HTTP; Thu, 16 Feb 2012 10:45:01 -0800 (PST)
In-Reply-To: <1329417179.41387.YahooMailNeo@web31809.mail.mud.yahoo.com>
References: <4E1F6AAD24975D4BA5B1680429673943663A7EA2@TK5EX14MBXC284.redmond.corp.microsoft.com> <1329417179.41387.YahooMailNeo@web31809.mail.mud.yahoo.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Thu, 16 Feb 2012 10:45:01 -0800
Message-ID: <CAGdjJpJiDRKB+B9tPhUSKVHKQMgeNMAKKduKgE5E4QE41k+N9A@mail.gmail.com>
To: William Mills <wmills@yahoo-inc.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQlbtQr1WPfhfkoZXgNT1rw0wrgn0AUBcTIkezvsNpTB0KQiq0KBUKK2IIqi0LevE6v2/gOyvxl35XXm31lD5WKz0z8LXAmgeZ1V0kB/38R+8uCXwYr3c08nAOPlY0MW7HCSf+va
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Ignoring unrecognized request parameters
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2012 18:45:26 -0000
+1 Yes, forward compatibility and extensions will be broken if unrecognized params are not allowed. Marius On Thu, Feb 16, 2012 at 10:32 AM, William Mills <wmills@yahoo-inc.com> wrote: > No, this is required for forward compatibility. Implementations that send > extended parameters like capability advertisements (i.e. CAPTCHA support or > something) shoudl not be broken hitting older implementations. > > ________________________________ > From: Mike Jones <Michael.Jones@microsoft.com> > To: "oauth@ietf.org" <oauth@ietf.org> > Sent: Thursday, February 16, 2012 10:16 AM > Subject: [OAUTH-WG] Ignoring unrecognized request parameters > > In core -23, the last paragraph of section 3.1 now says: > > The authorization server MUST ignore unrecognized request > parameters. > > In -22, this said: > > The authorization server SHOULD ignore unrecognized request > parameters. > > In a security protocol, it seems unreasonable to require that information be > ignored. As I see it, it SHOULD be legal to return an error if unrecognized > information is received. > > Why the change? And can we please have it changed back to SHOULD in -24? > > Thanks, > -- Mike > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Ignoring unrecognized request paramete… Mike Jones
- Re: [OAUTH-WG] Ignoring unrecognized request para… Mike Jones
- Re: [OAUTH-WG] Ignoring unrecognized request para… William Mills
- Re: [OAUTH-WG] Ignoring unrecognized request para… Marius Scurtescu
- Re: [OAUTH-WG] Ignoring unrecognized request para… Michael Thomas
- Re: [OAUTH-WG] Ignoring unrecognized request para… John Bradley
- Re: [OAUTH-WG] Ignoring unrecognized request para… Eran Hammer
- Re: [OAUTH-WG] Ignoring unrecognized request para… Eran Hammer
- Re: [OAUTH-WG] Ignoring unrecognized request para… John Bradley
- Re: [OAUTH-WG] Ignoring unrecognized request para… Eran Hammer