[Openid-specs-fapi] Issue #453: Grant ID from Authorization Endpoint (openid/fapi)
Takahiko Kawasaki
issues-reply at bitbucket.org
Sun Oct 10 12:45:02 UTC 2021
New issue 453: Grant ID from Authorization Endpoint
https://bitbucket.org/openid/fapi/issues/453/grant-id-from-authorization-endpoint
Takahiko Kawasaki:
When an access token is issued from the authorization endpoint \(when the `response_type` request parameter includes `token`\), should a corresponding grant ID be issued together from the authorization endpoint? Or should the specification be modified to explicitly prevent a grant ID from being issued from the authorization endpoint?
In addition, if one more access token is issued from the token endpoint \(when the `response_type` request parameter includes `code` in addition to `token`\), should the grant ID issued from the token endpoint be identical to the one that has been issued from the authorization endpoint?
[A.1. OAuth Parameter Registry](https://openid.net/specs/fapi-grant-management-ID1.html#name-oauth-parameter-registry) of [Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management-ID1.html) states that the parameter location of `grant_id` is “authorization request, token response”. It may be possible to interpret this as “a grant ID should not be included in an authorization response”, but it is better to write it explicitly if so.
More information about the Openid-specs-fapi
mailing list