[Openid-specs-fapi] Issue #412: FAPI 2.0 - Hard requirement to support Grant Management Requirement (openid/fapi)

Ralph Bragg issues-reply at bitbucket.org
Wed May 19 15:21:15 UTC 2021

New issue 412: FAPI 2.0 - Hard requirement to support Grant Management Requirement

Ralph Bragg:

One of the goals of Grant Management is to enable the management of grants including different authorization\_details objects. RAR by itself does not provide any abilility to manage or interrogate. Management, Interrogation is supported in most lodging intent pattern implementations that are implemented around the world.

In order to replace current implementations of Open Banking Authorisation Management which make extensive use of lodging intent pattern we need Grant Management functionality. 

Currently the specification includes 

1. shall support the `authorization_details` parameter according to \[@!I-D.ietf-oauth-rar\] to convey the authorization clients want to obtain if the `scope` parameter is not expressive enough for that purpose

The ‘intent’ of this is obviously to get people to stop using ‘Lodging intent’ or other non standardized ways of conveying rich authorisations however a strict interpretation would prevent implementations from being FAPI 2.0 compliant whilst they were still using lodging intent.

A less strict, but a literally interpretation, is that provided the ‘scope’ is conveyed in the ‘scope’ parameter of oAuth 2.0, even if it was a reference to the lodged intent, then a implementation is compliant.

What do we want to do to reconcile this.

More information about the Openid-specs-fapi mailing list