FAPI draft 06 requires a list of granted scopes to be returned:
"15.shall return the list of granted scopes with the issued access token;"
FAPI 1.0 requires a list of granted scopes to be returned, conditionally:
"15. shall return the list of granted scopes with the issued access token if the request was passed in the front channel and was not integrity protected;"
Currently, some Data Holders (DHs) do not support this requirement. If they delay until FAPI 1.0-Final, they may never have to support it.
- What is the risk posed to the ecosystem by not supporting the FAPI draft 06 requirement?
- What is the timeline for FAPI 1.0-Final uplift?
DHs should support Draft 06. This is the current dependency of the CDS. This requirement will be changed in line with FAPI 1.0 when it becomes the CDS dependency.
The risk is that for an ADR with a hard dependency on expecting scopes, failure to return the scopes breaks the ADR software product. Given some DHs are not currently compliant, it is unlikely any ADR has a hard dependency.
The migration to FAPI 1.0 will be phased. Where this requirement is phased in over other changes is yet to be determined. The migration of the entire ecosystem to fully support FAPI 2.0 is expected to complete in early 2023.