IETF Logo Mail Archive

Re: [OAUTH-WG] Ignoring unrecognized request parameters

Michael Thomas <mike@mtcc.com> Thu, 16 February 2012 18:48 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 910DB11E80A2 for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 10:48:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RuYW3RFfyk4E for <oauth@ietfa.amsl.com>; Thu, 16 Feb 2012 10:48:06 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 9F61D21F87D7 for <oauth@ietf.org>; Thu, 16 Feb 2012 10:48:06 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id q1GIm0U1008322 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 16 Feb 2012 10:48:00 -0800
Message-ID: <4F3D4F60.4010101@mtcc.com>
Date: Thu, 16 Feb 2012 10:48:00 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Marius Scurtescu <mscurtescu@google.com>
References: <4E1F6AAD24975D4BA5B1680429673943663A7EA2@TK5EX14MBXC284.redmond.corp.microsoft.com> <1329417179.41387.YahooMailNeo@web31809.mail.mud.yahoo.com> <CAGdjJpJiDRKB+B9tPhUSKVHKQMgeNMAKKduKgE5E4QE41k+N9A@mail.gmail.com>
In-Reply-To: <CAGdjJpJiDRKB+B9tPhUSKVHKQMgeNMAKKduKgE5E4QE41k+N9A@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1913; t=1329418085; x=1330282085; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20Ignoring=20unrecognized=20 request=20parameters |Sender:=20 |To:=20Marius=20Scurtescu=20<mscurtescu@google.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=OqP3hFgSO/YEZX1KOMjfa3dg5H2malyOXQB58CG73yQ=; b=UVT7MWabPPbsA3LmFaWsi5RCb4T6QXCkMyqIFTPXOJAG9gfX8dyIeSLR3m zF3GkE2EeqgBrN60u2qJs8WJxaTJ3910STOgrw2d435pgIUSk86lOGgiSN0e j9ddlWjP8EaYSiSXcgt14MsQ/KxjZao8LJGnEtll7dj80DYtZ4Oj8=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Ignoring unrecognized request parameters
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2012 18:48:11 -0000

+1

On 02/16/2012 10:45 AM, Marius Scurtescu wrote:
> +1
>
> Yes, forward compatibility and extensions will be broken if
> unrecognized params are not allowed.
>
> Marius
>
>
>
> On Thu, Feb 16, 2012 at 10:32 AM, William Mills<wmills@yahoo-inc.com>  wrote:
>> No, this is required for forward compatibility.  Implementations that send
>> extended parameters like capability advertisements (i.e. CAPTCHA support or
>> something) shoudl not be broken hitting older implementations.
>>
>> ________________________________
>> From: Mike Jones<Michael.Jones@microsoft.com>
>> To: "oauth@ietf.org"<oauth@ietf.org>
>> Sent: Thursday, February 16, 2012 10:16 AM
>> Subject: [OAUTH-WG] Ignoring unrecognized request parameters
>>
>> In core -23, the last paragraph of section 3.1 now says:
>>
>>                  The authorization server MUST ignore unrecognized request
>> parameters.
>>
>> In -22, this said:
>>
>>                  The authorization server SHOULD ignore unrecognized request
>> parameters.
>>
>> In a security protocol, it seems unreasonable to require that information be
>> ignored.  As I see it, it SHOULD be legal to return an error if unrecognized
>> information is received.
>>
>> Why the change?  And can we please have it changed back to SHOULD in -24?
>>
>>                                                                  Thanks,
>>                                                                  -- Mike
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.14.0 | Report a Bug | By Email