Grant management: Should grants expire?
Issue #355
resolved
Currently AS grants don’t have to expire. By exposing grants via grant management we need to think about expiry.
Expiry could happen at a grant level, authorization_details level or both. Grant could contain multiple authorization_details.
If a grant to expire, what behaviour do we expect? e.g. Remove authorization_details object
Comments (5)
-
-
I think grants usability should have an expiry but grants should always (up to legal retention period) remain present. Pretty sure that aligns with @Ralph Bragg .
-
reporter
Also discussed here: https://bitbucket.org/openid/fapi/issues/379/lifetime-of-grant_id
-
reporter
Conclusion of the Grant Management WG was that there is no need to enforce expiry at a grant level.
-
reporter
- changed status to resolved
Conclusion of the Grant Management WG was that there is no need to enforce expiry at a grant level.
- Log in to comment
I’d really be against the removal of these objects as the resources aren’t really owned by the bank, nor are they solely owned by the PSU or TPP. They’re shared resources and so they should have state and the state should change to reflect the their ‘expired’ status. The current or historical status will also need to be checked or validated by both PSUs and Clients.
The ownership of this resource should also be made clear, perhaps in the specification header, so that the joint ownership between the client and the psu is understood as a principle which would drive decisions about deletion or removal.