Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt

[Justin Richer <jricher@mitre.org>]

And also not much adoption into older (established) systems, yet. That's
where I see the trouble really happening. Most of the deployments we've
seen with OAuth2 have been with new systems or custom-built websites
where the devs had full control over API parameters.

 -- Justin

On Wed, 2011-01-26 at 11:05 -0500, Eran Hammer-Lahav wrote:
> It's been close to a year and no bite marks.
> 
> EHL
> 
> > -----Original Message-----
> > From: Justin Richer [mailto:jricher@mitre.org]
> > Sent: Wednesday, January 26, 2011 6:13 AM
> > To: Marius Scurtescu
> > Cc: Eran Hammer-Lahav; oauth@ietf.org
> > Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
> > 
> > > 2. Section 8.2. What about applications using legacy parameters? Does
> > > not make much sense to register them, and they cannot be changed to
> > > x_.
> > 
> > I *guarantee* that there will be many noncompliant implementations of this,
> > built on server frameworks with required parameters on all endpoints. Not
> > everyone is a Facebook or Google who can just define a new top-level
> > endpoint with clean parameter space. OAuth2 is going to be integrated into
> > *existing* systems that already have their allowable extra parameters
> > carved out, and these systems are not going to change their parameters just
> > to support OAuth. Once again, I'll say that if the choice comes down to
> > changing around existing parameters or not supporting OAuth, most people
> > are going to just not support OAuth.
> > 
> > > Broken record: using a prefix for all registered parameters is much
> > > cleaner (as opposed to requiring that all no-registered parameters use
> > > a prefix).
> > 
> > And once again, a strong +1 to this, even though I know it's far too late to
> > make such a breaking change to the spec. I really think this was a bad
> > decision and is going to come back and bite us in the future.
> > 
> >  -- Justin
>