[Openid-specs-fapi] Issue #442: Grant vs Consent confusion (openid/fapi)

Jacob Ideskog issues-reply at bitbucket.org
Tue Aug 31 13:34:29 UTC 2021

New issue 442: Grant vs Consent confusion

Jacob Ideskog:

This is a more general issue that I place here for discussion.

When reading the Grant Management spec from an implementation perspective, vs when listening to the discussions and use-cases I feel that there is a discrepancy between the intent of the specification and the text. The difference between a Grant and a Consent is clearly defined in section 1.1. However the specification mostly deals with Grants, but the use-cases and discussion often are about consents.

From an implementation perspective I know that consents are handled very differently between vendors, and that it is often the consented data that is interesting to the end-user. 

To give some examples:

* When a Grant expires, does that mean that the consent expires? In either case it’s worth defining
* If a new Grant is created for already consented to scope, client and resource-owner, should a new consent be required?
* Revoking a Grant, does that revoke the consent?

I think this needs to be clarified in greater detail in the specification as it will lead to big differences in implementation and prohibit interoperability.


More information about the Openid-specs-fapi mailing list