Grant ID from Authorization Endpoint
When an access token is issued from the authorization endpoint (when the response_type
request parameter includes token
), should a corresponding grant ID be issued together from the authorization endpoint? Or should the specification be modified to explicitly prevent a grant ID from being issued from the authorization endpoint?
In addition, if one more access token is issued from the token endpoint (when the response_type
request parameter includes code
in addition to token
), should the grant ID issued from the token endpoint be identical to the one that has been issued from the authorization endpoint?
A.1. OAuth Parameter Registry of Grant Management for OAuth 2.0 states that the parameter location of grant_id
is “authorization request, token response”. It may be possible to interpret this as “a grant ID should not be included in an authorization response”, but it is better to write it explicitly if so.
Comments (3)
-
-
-
assigned issue to
-
assigned issue to
-
- changed status to resolved
PR merged
- Log in to comment
Thanks Takahiko.
I’ve created this PR to address this issue: https://bitbucket.org/openid/fapi/pull-requests/303