[Openid-specs-fapi] Issue #374: Grant Management Query Response (openid/fapi)

[panva]

New issue 374: Grant Management Query Response
https://bitbucket.org/openid/fapi/issues/374/grant-management-query-response

Filip Skokan:

Under `Query Status of a Grant` example

> `scopes`: JSON array where every entry contains the `scope` parameter value and \(optionally\) any `resource` parameter value as defined in \[@!RFC8707\] passed in the same authorization request. **The AS MUST maintain the scope and resource values passed in different authorization requests in separate objects of the JSON structure in order to preserve their relationship.**

This needs clarification. Should e.g. `{ "scope":"openid" }` and `{ "scope":"profile" }` be separate entries rather than `{ "scope":"openid profile" }` if they were requested as part of two different authorization requests? How is “their relationship” preserved this way? As an implementer this MUST is problematic as it forces a specific data structure.

As a client i don’t know how i were to interpret them being separate anyway. I mean, as-is we don’t define any “addressability” for being able to revoke just a subset anyway.

The `claims` parameter is not handled this way, altho each claim may have also been requested separately. \(`claims: JSON array containing the names of all OpenID Connect claims (see [@!OpenID]) as requested and consented in one or more authorization requests associated with the respective grant.`\)

Suggestion: make it a MAY instead of a MUST, or \(more drastically\) actually require them merged and require that every resource is only listed once. Same as an entry with no “resource” property \(AS’s openid defined scopes\).