[Openid-specs-fapi] Issue #374: Grant Management Query Response (openid/fapi)

panva issues-reply at bitbucket.org
Thu Feb 18 10:36:10 UTC 2021

New issue 374: Grant Management Query Response

Filip Skokan:

Under `Query Status of a Grant` example

> `scopes`: JSON array where every entry contains the `scope` parameter value and \(optionally\) any `resource` parameter value as defined in \[@!RFC8707\] passed in the same authorization request. **The AS MUST maintain the scope and resource values passed in different authorization requests in separate objects of the JSON structure in order to preserve their relationship.**

This needs clarification. Should e.g. `{ "scope":"openid" }` and `{ "scope":"profile" }` be separate entries rather than `{ "scope":"openid profile" }` if they were requested as part of two different authorization requests? How is “their relationship” preserved this way? As an implementer this MUST is problematic as it forces a specific data structure.

As a client i don’t know how i were to interpret them being separate anyway. I mean, as-is we don’t define any “addressability” for being able to revoke just a subset anyway.

The `claims` parameter is not handled this way, altho each claim may have also been requested separately. \(`claims: JSON array containing the names of all OpenID Connect claims (see [@!OpenID]) as requested and consented in one or more authorization requests associated with the respective grant.`\)

Suggestion: make it a MAY instead of a MUST, or \(more drastically\) actually require them merged and require that every resource is only listed once. Same as an entry with no “resource” property \(AS’s openid defined scopes\).

More information about the Openid-specs-fapi mailing list