Expected behavior for grant_management_action=replace

Issue #454 resolved
Takahiko Kawasaki created an issue

The following requirement in “6.5. Revoke Grant

The AS MUST revoke the grant and all refresh tokens issued based on that particular grant, it SHOULD revoke all access tokens issued based on that particular grant.

requires authorization server implementations to track the relationship between a grant ID and refresh tokens. From the description, it is clear that the “grant revoke” request to the grant management endpoint will result in revoking all relevant refresh tokens.

On the other hand, the following description in “3.3. Replace the details of a grant

In some scenarios, clients might choose to replace the grant with the new one while keeping the same grant id. Old privileges will be revoked and new privileges will be added if approved by the user. The client has to specify full details of the new request.

and the explanation about replace in “5.2. Authorization Request

replace: this mode requires the client to specify a grant id using the grant_id paramter. If the parameter is present and the AS supports the grant management action replace, the AS will change the grant to be ONLY the permissions requested by the client and consented by the user in the actual request.

are not so clear in terms of refresh token revocation.

A question raised here is as follows:

Which is the expected behavior for grant_management_action=replace?

  1. Just break the relationship. The previously-referenced refresh tokens remain valid.
  2. Break the relationship and revoke the previously-referenced refresh tokens.

See also the attached image which illustrates the question visually.

Comments (5)

  1. Dima Postnikov

    Discussed on today’s call: the intent is to make sure that old tokens invalidated and cannot be used. They can either be revoked or token relationship with the grant needs to be broken.

    So both scenarios should be ok?

    What does everyone think?

  2. Torsten Lodderstedt

    To me the question is whether the issuance of a new refresh token will invalidate any pre-existing refresh tokens based on the same grant. I would answer: yes!

  3. Log in to comment