[Openid-specs-fapi] Issue #375: Grant Management Revoke Grant response (openid/fapi)

panva issues-reply at bitbucket.org
Thu Feb 18 10:37:46 UTC 2021

New issue 375: Grant Management Revoke Grant response

Filip Skokan:

## Revoke Grant 

To revoke a grant, the client sends a HTTP DELETE request to the grant's resource URL. The authorization server responds with a HTTP status code 204 and an empty response body.

This is illustrated by the following example.

DELETE /grants/TSdqirmAxDa0_-DB_1bASQ 
Host: as.example.com
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA

HTTP/1.1 204 No Content

The AS MUST revoke the grant and all refresh tokens issued based on that particular grant, it SHOULD revoke all access tokens issued based on that particular grant. 

Note: Token revocation as defined in [@RFC7009] differentiates from grant revocation as defined in this specification in that token revocation is not required to cause the revocation of the underlying grant. It is at the discretion of the AS to retain a grant in case of token revocation and allow the client to re-connect to this grant through a subsequent authorization request. This decoupling may improve user experience in case the client just wanted to discard the token as a credential.

This section needs to address the behaviour when the underlying Grant is invalid/not found. Does it behave similar to introspection \(returning 204 anyway\) or returns a 400 invalid\_grant?


More information about the Openid-specs-fapi mailing list