The OAuth and OpenID Connect specifications use a standard pattern to enable extensibility in a way that the use of extensions does not break existing deployments. That pattern is:
Where a set of values is defined, specify that additional values MAY be defined and used.
Where a set of values is used, specify that values that are not understood MUST be ignored.
Language incorporating this pattern is currently missing from the specification. We should add it where metadata parameters are defined and also for other parameter sets. Otherwise, we'll be building a brittle specification whose deployments will break by rejecting unexpected values when they are added as their ecosystems evolve.
The OAuth and OpenID Connect specifications use a standard pattern to enable extensibility in a way that the use of extensions does not break existing deployments. That pattern is:
Language incorporating this pattern is currently missing from the specification. We should add it where metadata parameters are defined and also for other parameter sets. Otherwise, we'll be building a brittle specification whose deployments will break by rejecting unexpected values when they are added as their ecosystems evolve.
For examples of the use of this pattern in OpenID and OAuth specifications, see the companion issue https://github.com/openid/OpenID4VP/issues/227.