Difference between revisions of "Grant"
From MgmtWiki
(→Context) |
(→Problems) |
||
| Line 9: | Line 9: | ||
==Problems== | ==Problems== | ||
| − | Once an [[Authorization]] [[Grant]] is issued as a [[Bearer Token]] is no practical way to [[Revocation|Revoke]] it. | + | * Once an [[Authorization]] [[Grant]] is issued as a [[Bearer Token]] is no practical way to [[Revocation|Revoke]] it. |
| + | * [[OAuth 2.0]] and [[OpenID Connect]] allow, but do not require [[User Consent]] before they are issued. | ||
==Solutions== | ==Solutions== | ||
Latest revision as of 11:22, 26 August 2021
Full Title or Meme
An Authorization Grant is a specific structure that gives some entity on the internet authorization to access a Resource.
Context
In OAuth 2.0 an authorization grant is defined as:
An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token. This specification defines four grant types -- authorization code, implicit, resource owner password credentials, and client credentials -- as well as an extensibility mechanism for defining additional types.
Later use extended grant types to include authorization for users to get access to Resources as well as User Consent for a Relying Party to access User Information.
Problems
- Once an Authorization Grant is issued as a Bearer Token is no practical way to Revoke it.
- OAuth 2.0 and OpenID Connect allow, but do not require User Consent before they are issued.
Solutions
- Give Authorization Grants a short life time, like 5 to 10 minuets, which could create problems for long running interactions with a Subject.
