Previously auth-params which started with the characters of a known auth-param were allowed even though they were not a known auth-param.