[Openid-specs-fapi] Issue #422: Grant Create and Access Methods (openid/fapi)

Stuart Low issues-reply at bitbucket.org
Tue Jun 8 11:08:40 UTC 2021

New issue 422: Grant Create and Access Methods

Stuart Low:

**From** @{6090fabccc7830006a408a7e}  [https://bitbucket.org/openid/fapi/issues/407/grant-management-lifecycle#comment-60599018](https://bitbucket.org/openid/fapi/issues/407/grant-management-lifecycle#comment-60599018)

* Authorization Request - What is the need to support grant\_management\_action=create? Aren't approved authorization requests already creating grants implicitly without this new parameter?
* Grant Management API -> API authorization - I suggest to consider securing the Grant Management API with the refresh token used as bearer token. This achieves several benefits:

    * Removes burden from client to request a separate access token
    * Simplifies AS implementation as it removes the need to look up the grant, instead relying on extracting grant id from the refresh token
    * Provides stronger API security in case an attacker has succeeded to impersonate the client. Attacker would not be able to manipulate or query grants without also obtaining the individual refresh tokens
* Query Status of a Grant - Keep in mind that the proposed API probably cannot fully replace open banking GET /consents/\{ConsentID\} because consent details may differ from grant details


More information about the Openid-specs-fapi mailing list