grant_id is given but grant_management_action is not
Issue #447
resolved
How should the authorization server behave when an authorization request includes grant_id but does not include grant_management_action? Examples of possible behaviors for this case are as follows.
- Reject the authorization request
- Use
updateorreplaceas the default value ofgrant_management_action - Ignore
grant_id(and do nothing special for Grant Management)
One more relevant question is “how should the authorization server behave when an authorization request includes grant_id and the value of grant_management_action is create. Examples of possible behaviors are as follows.
- Reject the authorization request
- Ignore
grant_id - Issue a new grant ID that represents a grant which merges the privileges of the authorization request and the privileges of the grant specified by the
grant_id
In other words, behaviors for the Case 4 and the Case 5 in the table below are not defined in the specification.
| Case | grant_id | grant_management_action | |
|---|---|---|---|
| 1 | not given | create | OK |
| 2 | not given | replace | NG |
| 3 | not given | update | NG |
| 4 | given | not given | ? |
| 5 | given | create | ? |
| 6 | given | replace | OK |
| 7 | given | update | OK |
See also the issue #445 “Condition for a token response to include a grant_id” which is a case where an authorization request includes neither grant_id nor grant_management_action but the authorization server supports Grant Management. The question there is “whether a grant ID should be issued or not in the case?”
Comments (3)
-
reporter
-
Thanks Taka, I’ve created a pull request: https://bitbucket.org/openid/fapi/pull-requests/290
-
- changed status to resolved
Pull request merged
- Log in to comment
Feedback from an implementer: The current implementation of Authlete rejects requests in the cases of (4) and (5).