[Openid-specs-fapi] Issue #437: Grant Management API Query Response missing normative structure (openid/fapi)

[Jacob Ideskog]

New issue 437: Grant Management API Query Response missing normative structure
https://bitbucket.org/openid/fapi/issues/437/grant-management-api-query-response

Jacob Ideskog:

Section 6.4 \(Query Status of a Grant\) is defining a non-normative example of a response and is missing a normative definition.

The “scopes” section is ambiguous in its definition. The first bullet on “scopes” opens up for differences in the organization of the scopes section of the response which makes it hard to provide generic client implementations.

In order to provide interoperability it should define a structure that the server MUST comply with.

I propose the following language to provide an unambiguous response structure:

---

`scopes`: \(required\) JSON array where every entry is a JSON object that MUST contain a `scope` field and MAY contain a `resource` JSON array. The `resource` array contains one or more absolute URIs referencing the resources \(as defined in \[RFC8707\]\) authorized for that `scope`.  
The `scope` MAY be the empty string if no explicit scope tokens are defined for a particular `resource`.  
Additional entries MAY be added to each entry in the `scopes` JSON object.

`claims`: \(optional\) JSON array containing the names of all OpenID Connect claims \(see \[[OpenID](https://openid.net/specs/fapi-grant-management-01.html#OpenID)\]\) as requested and consented in one or more authorization requests associated with the respective grant.

`authorization_details`: \(optional\) JSON Object as defined in \[[I-D.ietf-oauth-rar](https://openid.net/specs/fapi-grant-management-01.html#I-D.ietf-oauth-rar)\] containing all authorization details as requested and consented in one or more authorization requests associated with the respective grant.