[Openid-specs-fapi] Issue #447: grant_id is given but grant_management_action is not (openid/fapi)

Fri Oct 1 12:52:33 UTC 2021

New issue 447: grant_id is given but grant_management_action is not
https://bitbucket.org/openid/fapi/issues/447/grant_id-is-given-but

Takahiko Kawasaki:

How should the authorization server behave when an authorization request includes `grant_id` but does not include `grant_management_action`? Examples of possible behaviors for this case are as follows.

1. Reject the authorization request
2. Use `update` or `replace` as the default value of `grant_management_action`
3. Ignore `grant_id` \(and do nothing special for Grant Management\)

One more relevant question is “how should the authorization server behave when an authorization request includes `grant_id` and the value of `grant_management_action` is `create`. Examples of possible behaviors are as follows.

1. Reject the authorization request
2. Ignore `grant_id`
3. Issue a new grant ID that represents a grant which merges the privileges of the authorization request and the privileges of the grant specified by the `grant_id`

In other words, behaviors for the Case 4 and the Case 5 in the table below are not defined in the specification.

| **Case** | **grant\_id** | **grant\_management\_action** |  |
| --- | --- | --- | --- |
| 1 | not given | create | OK |
| 2 | not given | replace | NG |
| 3 | not given | update | NG |
| 4 | given | not given | ? |
| 5 | given | create | ? |
| 6 | given | replace | OK |
| 7 | given | update | OK |

See also the issue #445 “Condition for a token response to include a grant\_id” which is a case where an authorization request includes neither `grant_id` nor `grant_management_action` but the authorization server supports Grant Management. The question there is “whether a grant ID should be issued or not in the case?”