Grant ID from Authorization Endpoint

When an access token is issued from the authorization endpoint (when the response_type request parameter includes token), should a corresponding grant ID be issued together from the authorization endpoint? Or should the specification be modified to explicitly prevent a grant ID from being issued from the authorization endpoint?

In addition, if one more access token is issued from the token endpoint (when the response_type request parameter includes code in addition to token), should the grant ID issued from the token endpoint be identical to the one that has been issued from the authorization endpoint?

A.1. OAuth Parameter Registry of Grant Management for OAuth 2.0 states that the parameter location of grant_id is “authorization request, token response”. It may be possible to interpret this as “a grant ID should not be included in an authorization response”, but it is better to write it explicitly if so.

Comments (3)