[Openid-specs-fapi] Issue #407: Grant Management Lifecycle (openid/fapi)

Ralph Bragg issues-reply at bitbucket.org
Tue May 4 06:02:55 UTC 2021

New issue 407: Grant Management Lifecycle

Ralph Bragg:

In current implementations globally, the grant has a life cycle that begins pre-authorisation that is queryable by clients. In the current proposals with GrantAPI, or when included with RAR, alone the grant is created at Authorisation and during the latest Australian Workshop it was presented as being created post successful user authentication and consent. This is a deviation from the current functionality within ecosystems which we need to consider.

Likewise, the grant may not be ‘authorised’ or 'completely authorised' when it is first authorisd by a single user e.g Multi Party Consent. So our language in terms of lifecycle needs to consider these transitions.

The PAR request doesn’t support status and has the strong recommendation to prevent replay, “Since the request URI can be replayed, its lifetime SHOULD be short and preferably limited to one-time use.”

More information about the Openid-specs-fapi mailing list