[Openid-specs-fapi] Issue #375: Grant Management Revoke Grant response (openid/fapi)
issues-reply at bitbucket.org
Thu Feb 18 10:37:46 UTC 2021
New issue 375: Grant Management Revoke Grant response
## Revoke Grant
To revoke a grant, the client sends a HTTP DELETE request to the grant's resource URL. The authorization server responds with a HTTP status code 204 and an empty response body.
This is illustrated by the following example.
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
HTTP/1.1 204 No Content
The AS MUST revoke the grant and all refresh tokens issued based on that particular grant, it SHOULD revoke all access tokens issued based on that particular grant.
Note: Token revocation as defined in [@RFC7009] differentiates from grant revocation as defined in this specification in that token revocation is not required to cause the revocation of the underlying grant. It is at the discretion of the AS to retain a grant in case of token revocation and allow the client to re-connect to this grant through a subsequent authorization request. This decoupling may improve user experience in case the client just wanted to discard the token as a credential.
This section needs to address the behaviour when the underlying Grant is invalid/not found. Does it behave similar to introspection \(returning 204 anyway\) or returns a 400 invalid\_grant?
More information about the Openid-specs-fapi