Added:
unsupported parameter value (other than grant type)
EH
> -Original Message-
> From: Roger Crew [mailto:c...@cs.stanford.edu]
> Sent: Tuesday, February 07, 2012 12:53 PM
> To: Eran Hammer
> Cc: oauth@ietf.org
> Subject: RE: [OAUTH-WG] error codes in 4
> > (2) [in 4.2.2.1] If the response_type is provided but unknown,
> > is that an 'invalid_request' (since this is clearly an
> > "unsupported parameter value") or is it an
> > 'unsupported_response_type'?
> >
> > Seems to me it should be the latter. If so, then...
> >
Thanks.
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Roger Crew
> Sent: Sunday, November 13, 2011 4:19 PM
> (1) 4.1.2.1, and 4.2.2.1 both say that in the case that client_id is
> provided and invalid/unknown, the auth server MUST N
It now occurs to me that "bug" for item (1) below is perhaps
a bit understated; it's really more of a security issue,
since if the implementer follows what the current spec is
apparently saying, the authorization server essentially
becomes an open redirector.
(... Apologies if this was obvious
[With respect to OAuth v2 draft 22]
I have some observations about the error responses at the authorization
endpoint (4.1.2.1 and 4.2.2.1 for the authorization_code and implicit
grant_types, respectively).
(1) looks like a bug,
(2) is an ambiguity and may also apply to Section 5.2,
(3-5)
