Grant Management: ambiguities around update

It’s a bit unclear what a grant update is intended to mean - overwrite or append/merge? Something else? AS decides?

I’d guess that it’s intended to mean append/merge. But there’s some text in Implementation Considerations, “update and append actions” that is maybe left over from a prior approach in the document but sort of suggests that update is something distinct from append.

Also, if the AS doesn’t support update (grant_update_supported) and receives a request with a legit grant_id, what is supposed to happen? Error or ignore the given grant_id and assign a new one (subject to grant_id_supported and/or grant_id_required)? Following the logic quoted below (or trying anyway), I think the “Otherwise” kicks in and the only mandated behavior in this situation is that there can’t be grant id in the token response. Which doesn’t sit quite right.

The grant_id value MUST have been issued by the respective authorization server and the respective client MUST be authorized to use the particular grant id. If the parameter is present and the AS supports grant updates (see (#server_metadata)), the AS will assign all permissions as consented by the user in the actual request to the respective grant. If the parameter is not present and the AS always issues grant ids or the AS optionally issues grant ids (see (#server_metadata)) and the client requires grant ids (see (#client_metadata)), the AS MUST create a new grant and return the respective grant id in the token response. Otherwise, the AS MUST NOT return a grant id in the token response.

‌

Comments (4)