[Openid-specs-fapi] Issue #445: Condition for a token response to include a grant_id (openid/fapi)

Takahiko Kawasaki issues-reply at bitbucket.org
Tue Sep 28 11:27:16 UTC 2021


New issue 445: Condition for a token response to include a grant_id
https://bitbucket.org/openid/fapi/issues/445/condition-for-a-token-response-to-include

Takahiko Kawasaki:

[Section 5.4 Token Response](https://openid.net/specs/fapi-grant-management-ID1.html#name-token-response) of [Grant Management for OAuth 2.0 ID1](https://openid.net/specs/fapi-grant-management-ID1.html) states as follows.

> The AS will return a `grant_id` if it supports any of the grant management actions `query`, `revoke`, `update`, `replace`.

Q1. Is it allowed for the authorization server to issue a new grant ID even when the authorization request does not include `grant_management_action=create` explicitly?

Q2. Is it allowed for an implementation NOT to issue a new grant ID when the authorization request does not include `grant_management_action=create` explicitly even if the implementation supports `query`, `revoke`, `update` and/or `replace`?

Q3. Why is `create` excluded from the list of the grant management actions?

If asked, I would change the paragraph to like below.

> The AS will return a `grant_id` if the authorization request includes `grant_management_action`.


More information about the Openid-specs-fapi mailing list