[Openid-specs-fapi] Comments on Grant Management for OAuth 2.0

Takahiko Kawasaki taka at authlete.com
Wed Aug 12 15:05:00 UTC 2020


Hello,

My comments on "Grant Management for OAuth 2.0" (
https://bitbucket.org/openid/fapi/src/master/Financial_API_Grant_Management.md
) are as follows.

[1] Multiple Grant IDs

If the spec allows multiple grant IDs to be issued to a particular
combination of a client application and a resource owner, there are no big
differences between grant IDs and access/refresh tokens. I'm afraid that
benefits gained won't be so big compared to efforts that would have to be
made for the introduced complexity.

[2] Single Grant ID (or No Grant ID)

If the spec ensures that the number of grant IDs issued to a particular
combination of a client application and a resource owner is at most one,
the spec can be simpler. I guess it would be possible to omit even issuance
of grant IDs. "grant_management_mode=(update|replace)" without "grant_id"
would be enough.

I don't think another access token is needed to call Grant Management APIs.
In other words, I think the same access token that has been issued as a
result of an authorization request can be used to call Grant Management
APIs. In addition, because an access token has information about a client
application and a resource owner, information about a grant ID won't be
necessary in the API path or as a request parameter.

Best Regards,
Takahiko Kawasaki
Authlete, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200813/d77d9a89/attachment.html>


More information about the Openid-specs-fapi mailing list