On Thu, Jul 1, 2010 at 6:03 AM, Justin Richer <jric...@mitre.org> wrote: > #2 is the best route forward. If a particular extension requires its > parameters to be present and handled, then it has a few different > options. One is breaking at the server side, either with an explicit > error or throwing away some other required bit, which has been > mentioned. Another is looking for a callback return parameter on the > client side. If the server doesn't return it, then the server didn't > support that extension and the client should break the flow at that > point. > > I want to ask the list though: what exactly do we mean by ignoring > parameters? Is it that a server library will ignore unknown parameters > coming in when doing its processing? That I agree with completely. Same > with parameters coming back to the client from the server. If you don't > know about it, don't try to do anything with it. The one case that I > don't think libraries can *ignore* extra parameters is when using a > client library to build a request to a server. A particular server > implementation may require extra parameters on the request in order to > function (such as MediaWiki's title parameter), and a client needs to be > able to pass such things through. These parameters can effectively be > thought of as part of the address of the server URL, can be ignored by > the OAuth part of the server process, but cannot be dropped by the > client building the request. So "ignore" in this case means "quietly > pass through" and not "drop". > > In most instances outside of the Big Web Companies, OAuth is going to be > the new kid being grafted onto an existing framework or application. As > such, it really needs to play nice.
Just a side note, with extensions also being simple names added to the protocol chances of a collision with an existing framework are much higher. Using MediaWiki as an example, if an extension proposes to use 'title' as a parameter name it will be approved if it does not collied with other OAuth 2 parameter names (core or extensions), but frameworks will not be checked (that is impossible). Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
