[Openid-specs-fapi] Issue #423: Refresh token used as bearer token for Grant Management APIs (openid/fapi)

Dima Postnikov issues-reply at bitbucket.org
Wed Jun 16 13:36:27 UTC 2021


New issue 423: Refresh token used as bearer token for Grant Management APIs
https://bitbucket.org/openid/fapi/issues/423/refresh-token-used-as-bearer-token-for

Dima Postnikov:

**From** @Yaron Zehavi  [https://bitbucket.org/openid/fapi/issues/407/grant-management-lifecycle#comment-60599018](https://bitbucket.org/openid/fapi/issues/407/grant-management-lifecycle#comment-60599018)

Grant Management API -> API authorization - I suggest to consider securing the Grant Management API with the refresh token used as bearer token. This achieves several benefits:

* Removes burden from client to request a separate access token
* Simplifies AS implementation as it removes the need to look up the grant, instead relying on extracting grant id from the refresh token
* Provides stronger API security in case an attacker has succeeded to impersonate the client. Attacker would not be able to manipulate or query grants without also obtaining the individual refresh tokens

‌



More information about the Openid-specs-fapi mailing list