Grant Management API Query Response missing normative structure

Section 6.4 (Query Status of a Grant) is defining a non-normative example of a response and is missing a normative definition.

The “scopes” section is ambiguous in its definition. The first bullet on “scopes” opens up for differences in the organization of the scopes section of the response which makes it hard to provide generic client implementations.

In order to provide interoperability it should define a structure that the server MUST comply with.

I propose the following language to provide an unambiguous response structure:

scopes: (required) JSON array where every entry is a JSON object that MUST contain a scope field and MAY contain a resource JSON array. The resource array contains one or more absolute URIs referencing the resources (as defined in [RFC8707]) authorized for that scope.
The scope MAY be the empty string if no explicit scope tokens are defined for a particular resource.
Additional entries MAY be added to each entry in the scopes JSON object.

claims: (optional) JSON array containing the names of all OpenID Connect claims (see [OpenID]) as requested and consented in one or more authorization requests associated with the respective grant.

authorization_details: (optional) JSON Object as defined in [I-D.ietf-oauth-rar] containing all authorization details as requested and consented in one or more authorization requests associated with the respective grant.

Comments (6)