On 09/07/2020 11:07, Neil Madden wrote: > >> >> An AS is always free to implement the 2 step solution that you >> proposed and indeed it could be easier to implement with RAR in the >> manner you described, but I don't think it should be the prescribed >> approach. > > How can an AS implement this with RAR? This is my point - there is no > mechanism at all in RAR to link a transaction to any kind of prior > consent. It’s not about mandating such an approach, it’s about > *supporting* it at all. Every transaction in RAR is a blank slate at > the moment.
The ability to reference an existing grant is a general problem with OAuth. The grant management draft has a "grant_id" parameter which can be used to reference prior consent. I suppose to reference prior consent as context only a new |grant_management_mode|may be needed. https://bitbucket.org/openid/fapi/src/master/Financial_API_Grant_Management.md We also have OAuth Incremental Authorization, which references a refresh token: https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-04 Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
