I have a question about QueryParameter Authentication. Assume service supports QueryParameter in URI doesn't require auth like ServiceRoot. For different operations, shall we define different auth requirement to prevent security problem.
For example, if ServiceRoot supports "expand" and "select". When user do "expand", auth shall be required but not when user do "select".
I agree $select is acceptable to allow without authentication.
For $expand, I can also see simply ignoring the $expand as valid (based on the language today), but we'll need to discuss this further. I think rejecting might be a good approach since it gives the client a clear indicator that the request can't be fulfilled.