[Openid-specs-fapi] Comments on Grant Management for OAuth 2.0
taka at authlete.com
Wed Aug 12 15:05:00 UTC 2020
My comments on "Grant Management for OAuth 2.0" (
) are as follows.
 Multiple Grant IDs
If the spec allows multiple grant IDs to be issued to a particular
combination of a client application and a resource owner, there are no big
differences between grant IDs and access/refresh tokens. I'm afraid that
benefits gained won't be so big compared to efforts that would have to be
made for the introduced complexity.
 Single Grant ID (or No Grant ID)
If the spec ensures that the number of grant IDs issued to a particular
combination of a client application and a resource owner is at most one,
the spec can be simpler. I guess it would be possible to omit even issuance
of grant IDs. "grant_management_mode=(update|replace)" without "grant_id"
would be enough.
I don't think another access token is needed to call Grant Management APIs.
In other words, I think the same access token that has been issued as a
result of an authorization request can be used to call Grant Management
APIs. In addition, because an access token has information about a client
application and a resource owner, information about a grant ID won't be
necessary in the API path or as a request parameter.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi