[Openid-specs-fapi] FAPI Slide Deck

Torsten Lodderstedt torsten at lodderstedt.net
Wed Feb 12 20:11:07 UTC 2020


Hi Vladimir,

> On 12. Feb 2020, at 19:51, Vladimir Dzhuvinov via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
> 
> Hi Torsten,
> 
> How does the lifecycle of the grant resource exposed at the
> /grants/{grant_id} endpoint tie to the lifecycle of the issued access /
> refresh token?
> 
> Does it expire with the access token if no refresh token is issued?

Excellent question! Basically, it is supposed to work the other way around. 

The grant_id is an external representation of the grant underlying any token. 

If a grant is revoked, it effectively makes the token useless, since the underlying grant is gone. 

If an access token is revoked or expires, this only means the credential created based on a certain grant is no longer usable. But the grant still exists.

Same if a refresh token is revoked or expires. The client can at any time re-acquire tokens for that grant by going through an authorization process again. If there is a grant for a given client_id/user_id combination, it will be used to inform this authorisation process. If the grant already fulfils the scopes/authorization details the client is requesting, there is not even a need for acquiring user consent (again). 

Does this make sense for you? I think connect2id’s subject session is very similar to the concept of a grant.
 
best regards,
Torsten. 

> 
> Vladimir
> 
> On 29/01/2020 16:49, Torsten Lodderstedt via Openid-specs-fapi wrote:
>> Hi all, 
>> 
>> as discussed in the call today, I started to create a slide deck about the next FAPI revision and look for your feedback/contribution. 
>> 
>> Here is the link: https://docs.google.com/presentation/d/1LyebJ8FhC1sIM9F5e9TNHRPDOYuXiilHt4wQBkvRvtc/edit#slide=id.p
>> 
>> If you want to access/contribute, please request access (respective screen will be shown by Google Docs).
>> 
>> best regards,
>> Torsten. 
> 
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi



More information about the Openid-specs-fapi mailing list