[Openid-specs-fapi] Issue #442: Grant vs Consent confusion (openid/fapi)
issues-reply at bitbucket.org
Tue Aug 31 13:34:29 UTC 2021
New issue 442: Grant vs Consent confusion
This is a more general issue that I place here for discussion.
When reading the Grant Management spec from an implementation perspective, vs when listening to the discussions and use-cases I feel that there is a discrepancy between the intent of the specification and the text. The difference between a Grant and a Consent is clearly defined in section 1.1. However the specification mostly deals with Grants, but the use-cases and discussion often are about consents.
From an implementation perspective I know that consents are handled very differently between vendors, and that it is often the consented data that is interesting to the end-user.Â
To give some examples:
* When a Grant expires, does that mean that the consent expires? In either case itâ€™s worth defining
* If a new Grant is created for already consented to scope, client and resource-owner, should a new consent be required?
* Revoking a Grant, does that revoke the consent?
I think this needs to be clarified in greater detail in the specification as it will lead to big differences in implementation and prohibit interoperability.
More information about the Openid-specs-fapi