<?xml version='1.0' encoding='utf-8'?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.2.13 -->
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-hardt-gnap-advanced-01" category="std" consensus="true" obsoletes="" updates="" submissionType="IETF" xml:lang="en" version="3">
  <!-- xml2rfc v2v3 conversion 2.47.0 -->
  <front>
    <title>The Grant Negotiation and Authorization Protocol - Advanced Features</title>
    <seriesInfo name="Internet-Draft" value="draft-hardt-gnap-advanced-01"/>
    <author initials="D." surname="Hardt" fullname="Dick Hardt" role="editor">
      <organization>SignIn.Org</organization>
      <address>
        <postal>
          <country>United States</country>
        </postal>
        <email>dick.hardt@gmail.com</email>
      </address>
    </author>
    <date year="2020" month="August" day="15"/>
    <area>Security</area>
    <abstract>
      <t>TBD</t>
    </abstract>
  </front>
  <middle>
    <section anchor="introduction" numbered="true" toc="default">
      <name>Introduction</name>
      <t>This document includes additional features for the Grant Negotiation and Authorization Protocol (GNAP) <xref target="GNAP" format="default"/>, and presumes familiarity and knowledge of GNAP.</t>
      <t><strong>Terminology</strong></t>
      <t>This document uses the following terms defined in <xref target="GNAP" format="default"/>:</t>
      <ul spacing="normal">
        <li>authN</li>
        <li>authZ</li>
        <li>Access</li>
        <li>Access URI</li>
        <li>Claim</li>
        <li>Grant Client (GC)</li>
        <li>Registered Client</li>
        <li>Grant</li>
        <li>Grant Server (GS)</li>
        <li>Grant URI</li>
        <li>Grant Request</li>
        <li>Grant Response</li>
        <li>GS URI</li>
        <li>Interaction</li>
        <li>NumericDate</li>
        <li>Resource Owner (RO)</li>
        <li>Resource Server (RS)</li>
        <li>User</li>
      </ul>
      <t><strong>Notational Conventions</strong></t>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
specification are to be interpreted as described in <xref target="RFC2119" format="default"/>.</t>
      <t>Certain security-related terms are to be understood in the sense
defined in <xref target="RFC4949" format="default"/>.  These terms include, but are not limited to,
"attack", "authentication", "authorization", "certificate",
"confidentiality", "credential", "encryption", "identity", "sign",
"signature", "trust", "validate", and "verify".</t>
      <t>Unless otherwise noted, all the protocol parameter names and values
are case sensitive.</t>
      <t>Some protocol parameters are parts of a JSON document, and are referred to in JavaScript notation. For example, foo.bar refers to the "bar" boolean attribute in the "foo" object in the following example JSON document:</t>
      <artwork name="" type="" align="left" alt=""><![CDATA[
{
    "foo" : {
        "bar": true
    }
}
]]></artwork>
    </section>
    <section anchor="grant-management-apis" numbered="true" toc="default">
      <name>Grant Management APIs</name>
      <t>In addition to creating and reading a Grant as specified in GNAP The GC MAY list, update, delete, and discover a Grant.</t>
      <section anchor="ListGrants" numbered="true" toc="default">
        <name>List Grants</name>
        <t>The GC MAY list the Grants provided to the GC by doing an a GET on the GS URI. The GS MUST respond with a list of Grant URIs [ format TBD] or one of the following errors:</t>
        <ul spacing="normal">
          <li>TBD</li>
        </ul>
        <t>from Error Responses <xref target="ErrorResponses" format="default"/>.</t>
      </section>
      <section anchor="UpdateGrant" numbered="true" toc="default">
        <name>Update Grant</name>
        <t>The GC updates a Grant by doing an HTTP PUT of a JSON document to the corresponding Grant URI.</t>
        <t>The JSON document MUST include the following from the <xref target="GNAP" format="default"/> Grant Request JSON:</t>
        <ul spacing="normal">
          <li>iat</li>
          <li>uri set to the Grant URI</li>
        </ul>
        <t>and MAY include the following from the <xref target="GNAP" format="default"/> Grant Request JSON:</t>
        <ul spacing="normal">
          <li>user</li>
          <li>interaction</li>
          <li>authorization or authorizations</li>
          <li>claims</li>
        </ul>
        <t>The GS MUST respond with one of the standard GNAP responses (Grant Response, Interaction Response, Wait Response) or one of the following errors:</t>
        <ul spacing="normal">
          <li>TBD</li>
        </ul>
        <t>from Error Responses <xref target="ErrorResponses" format="default"/>.</t>
        <t>Following is a non-normative example where the GC wants to update the Grant Request with additional claims:</t>
        <artwork name="" type="" align="left" alt=""><![CDATA[
{ 
    "iat"       : 15790460234,
    "uri"       : "https://as.example/endpoint/grant/example3",
    "claims": {
        "oidc": {
            "userinfo" : {
                "email"          : { "essential" : true },
                "name"           : { "essential" : true },
                "picture"        : null
            }
        }
    }
}
]]></artwork>
      </section>
      <section anchor="DeleteGrant" numbered="true" toc="default">
        <name>Delete Grant</name>
        <t>The GC deletes a Grant by doing an HTTP DELETE of the corresponding Grant URI.</t>
        <t>The GS MUST respond with OK 200, or one of the following errors:</t>
        <ul spacing="normal">
          <li>TBD</li>
        </ul>
        <t>from Error Responses <xref target="ErrorResponses" format="default"/>.</t>
      </section>
      <section anchor="GrantOptions" numbered="true" toc="default">
        <name>Grant Options</name>
        <t>The GC can get the supported operations for a Grant by doing an HTTP OPTIONS of the corresponding Grant URI.</t>
        <t>The GS MUST respond with the supported methods</t>
        <t>[Format TBD]</t>
        <t>or one of the following errors:</t>
        <ul spacing="normal">
          <li>TBD</li>
        </ul>
        <t>from Error Responses <xref target="ErrorResponses" format="default"/>.</t>
      </section>
    </section>
    <section anchor="authorization-management-apis" numbered="true" toc="default">
      <name>Authorization Management APIs</name>
      <t>In addition to reading an Authorization as specified in <xref target="GNAP" format="default"/>, The GC MAY update, delete, and discover an Authorization.</t>
      <section anchor="UpdateAccess" numbered="true" toc="default">
        <name>Update Access</name>
        <t>The GC updates an Authorization by doing an HTTP PUT to the corresponding Access URI of the following JSON. All of the following MUST be included.</t>
        <ul spacing="normal">
          <li>
            <strong>iat</strong> - the time of the request as a NumericDate.</li>
          <li>
            <strong>uri</strong> - the Access URI.</li>
          <li>
            <strong>access</strong> - the new access requested per the <xref target="GNAP" format="default"/> Grant Request JSON "access" object.</li>
        </ul>
        <t>The GS MUST respond with a GNAP Access JSON document, or one of the following errors:</t>
        <ul spacing="normal">
          <li>TBD</li>
        </ul>
        <t>from Error Responses <xref target="ErrorResponses" format="default"/>.</t>
      </section>
      <section anchor="DeleteAccess" numbered="true" toc="default">
        <name>Delete Access</name>
        <t>The GC deletes an Access by doing an HTTP DELETE to the corresponding Access URI.</t>
        <t>The GS MUST respond with OK 200, or one of the following errors:</t>
        <ul spacing="normal">
          <li>TBD</li>
        </ul>
        <t>from Error Responses <xref target="ErrorResponses" format="default"/>.</t>
        <t>A GS MAY indicate support for this feature by including the "DELETE" method in the Access URI OPTIONS response.</t>
      </section>
      <section anchor="AccessOptions" numbered="true" toc="default">
        <name>Access Options</name>
        <t>The GC can get the supported operations for an Access by doing an HTTP OPTIONS of the corresponding Access URI.</t>
        <t>The GS MUST respond with the supported methods</t>
        <t>[Format TBD]</t>
        <t>or one of the following errors:</t>
        <ul spacing="normal">
          <li>TBD</li>
        </ul>
        <t>from Error Responses <xref target="ErrorResponses" format="default"/>.</t>
      </section>
    </section>
    <section anchor="reciprocal-grant" numbered="true" toc="default">
      <name>Reciprocal Grant</name>
      <t>Party A and Party B both want to obtain a Grant from the other party. Each party will be both Grant Client and Grant Server. This would require two complete GNAP flows with an awkward redirect between them, and the User may have to authenticate multiple times as context is lost. Reciprocal Grant simplifies the User experience.</t>
      <t>In the following sequence, steps 1 - 7 &amp; 9 are a standard GNAP sequence.</t>
      <artwork name="" type="" align="left" alt=""><![CDATA[
              Party A                            Party B
             +--------+                         +--------+
             |        |                         |        |
             | Client |--(1)-- Create Grant A ->|   GS   |
             |        |                         |        |
             | Client |<--- Interaction ---(2)--|   GS   |
             |        |      Response           |        |
             |        |                         |        |
             | Client |--(3)--- Read Grant A -->|   GS   |       +---+
             |        |                         |        |       | U |
             | Client |--(4)--- Interaction --- | - - -  | ----->| s |
             |        |          Transfer       |        |       | e |
             |        |                         |   GS   |<-(5)->| r |
             |        |                         |        | authN |   |
             |        |                         |   GS   |<-(6)->|   |
             |        |                         |        | authZ |   |
             | Client |<------- Grant A ---(7)--|   GS   |       +---+
             |        |        Response         |        |
             |        |                         |        |
             |   GS   |<- Create Grant B --(8)--| Client |
+---+        |        |   user.reciprocal       |        |
| U |        |        |                         |        |
| s |<------ | - - -  | --- Interaction --(9)---|   GS   |
| e |        |        |     Transfer            |        |
| r |<-(10)->|   GS   |                         |        |
|   | AuthZ  |        |                         |        |
+---+        |   GS   |--(11)-- Grant B ------->| Client |
             |        |         Response        |        |
             +--------+                         +--------+

Client = Grant Client
]]></artwork>
      <ol spacing="normal" type="1">
        <li>
          <strong>Create Grant A</strong> Party A makes a Create Grant request to the Party B GS URI.</li>
        <li>
          <strong>Interaction Response</strong>  Party B returns an interaction response containing the Grant A URI.</li>
        <li>
          <strong>Read Grant A</strong> Party A does an HTTP GET of the Grant A URI.</li>
        <li>
          <strong>Interaction Transfer</strong> Party A transfers User interaction to the Party B.</li>
        <li>
          <strong>User Authentication</strong> Party B authenticates the User.</li>
        <li>
          <strong>User Authorization</strong> If required, Party B interacts with the User to determine which identity claims and/or authorizations in the Grant A Request are to be granted.</li>
        <li>
          <strong>Create GrantB</strong> Party B creates its Grant B Request with user.reciprocal set to the Grant A URI that will be in the step (2) Grant A Response, and sends it with an HTTP POST to the Party A GS URI. This enables Party A to correlate the Grant B Request and its Grant and the User.</li>
        <li>
          <strong>Grant S Response</strong> Party B responds to Party A's Create Grant A Request with a Grant A Response.</li>
        <li>
          <strong>Interaction Transfer</strong> Party B redirects the User to the Completion URI at Party A.</li>
        <li>
          <strong>User Authorization</strong> If required, Party A interacts with the User to determine which identity claims and/or authorizations in Party B's Grant B Request are to be granted.</li>
        <li>
          <strong>Grant B Response</strong> Party A responds with the Grant B Response.</li>
      </ol>
      <ul spacing="normal">
        <li>
          <strong>reciprocal</strong> - a new attribute of the <xref target="GNAP" format="default"/> Request JSON user object. MUST be set to a Grant URI.</li>
      </ul>
    </section>
    <section anchor="GSInitiatedGrantSeq" numbered="true" toc="default">
      <name>GS Initiated Grant</name>
      <t>The User is at the GS, and wants to interact with a Registered Client. The GC has previously configured an initiation_uri at the GS, and the Grant it requires.</t>
      <t>In this sequence, the GS creates a Grant and redirects the User to the GC's initiation_uri passing a Grant URI:</t>
      <artwork name="" type="" align="left" alt=""><![CDATA[
+--------+                                  +-------+         +------+
|   GC   |                                  |  GS   |         | User |
|        |                                  |       |<--(1)-->|      |
|        |                                  |       |         |      |
|        |<----- GS Initiation Redirect --- | - - - | --(2)---|      |
|   (3)  |                                  |       |         |      |
| verify |--(4)--- Read Grant ------------->|       |         +------+
|        |                                  |       |
|        |<--------- Grant Response --(5)---|       |
|        |                                  |       |
+--------+                                  +-------+
]]></artwork>
      <ol spacing="normal" type="1">
        <li>
          <strong>User Interaction</strong> The GS interacts with the User to determine the GC and what identity claims and / or authorizations to provide. The GS creates a Grant and corresponding Grant URI.</li>
        <li>
          <strong>GS Initiated Redirect</strong> The GS redirects the User to the GC's initiation_uri, adding a query parameter with the name "grant_uri" and the value being the URL encoded Grant URI.</li>
        <li>
          <strong>Client Verification</strong> The GC verifies the Grant URI starts with a GS URI from a GS the GC trusts.</li>
        <li>
          <strong>Read Grant</strong> The GC does an HTTP GET of the Grant URI.</li>
        <li>
          <strong>Grant Response</strong> The GS responds with a Grant Response.</li>
      </ol>
      <ul spacing="normal">
        <li>
          <strong>initiation_uri</strong> - a URI at the GC that contains no query or fragment. How the GS learns the GC initiation_uri and require Grant is out of scope of this document.</li>
      </ul>
    </section>
    <section anchor="user-exists" numbered="true" toc="default">
      <name>User Exists</name>
      <t>The GC may want to provide a different experience to the User depending on if a User already exists at the GS. By including one or more identifiers in the Grant Request user.identifiers object, and setting user.exists to true, the GS MAY include a user.exists attribute in a GNAP Interaction Response. The value is true if the GS has a user with one or more of the GC provided identifers, and false if not.</t>
      <ul spacing="normal">
        <li>
          <strong>exists</strong> - a new attribute of the "user" object. If present in a GNAP Grant Request, it MUST be set to true.</li>
      </ul>
      <t>A GS indicates support for this feature by returning the features.user_exists attribute in the GS Options response set to true.</t>
    </section>
    <section anchor="multiple-interactions" numbered="true" toc="default">
      <name>Multiple Interactions</name>
      <t>There are situations where the GC can not, or prefers not, to ask for all identity claims and/or authorizations it requires.</t>
      <t>In this example sequence, the GC requests an identity claim to determine who the User is. Once the GC learns who the User is, the GC updates the Grant for additional identity claims which the GS prompts the User for and returns to the GC. Once those additional claims are received, the GC updates the Grant with the remaining identity claims required.</t>
      <artwork name="" type="" align="left" alt=""><![CDATA[
+--------+                                  +-------+
| Client |                                  |  GS   |
|        |--(1)--- Create Grant ----------->|       |
|        |         multi = true             |       |
|        |                                  |       |
|        |<--- Interaction Response ---(2)--|       |
|        |         multi = true             |       |
|        |                                  |       |
|        |--(3)--- Read Grant ------------->|       |         +------+
|        |                                  |       |         | User |
|        |--(4)--- Interaction Transfer --- | - - - | ------->|      |
|        |                                  |       |         |      |
|        |                                  |       |<--(5)-->|      |
|        |                                  |       |  authN  |      |
|        |<--------- Grant Response ---(6)--|       |         |      |
|  (7)   |                                  |       |         |      |
|  eval  |--(8)--- Update Grant ----------->|       |         |      |
|        |         multi = true             |       |<--(9)-->|      |
|        |                                  |       |  authZ  |      |
|        |<--------- Grant Response --(10)--|       |         |      |
|        |           multi = true           |       |
|  (11)  |                                  |       |         |      |
|  eval  |--(12)-- Update Grant ----------->|       |         |      |
|        |         multi = false            |       |<--(13)->|      |
|        |                                  |       |  authZ  |      |
|        |                                  |       |         |      |
|        |<--- Interaction Transfer --(14)- | - - - | --------|      |
|        |                                  |       |         |      |
|        |<--------- Grant Response --(15)--|       |         +------+
|        |           multi = false          |       |
|        |                                  |       |
+--------+                                  +-------+

    Client = Grant Client
]]></artwork>
      <ol spacing="normal" type="1">
        <li>
          <strong>Create Grant</strong> The GC creates a Grant Request (CreateGrant) including an identity claim and interaction.global.multi set to true, and sends it with an HTTP POST to the GS GS URI.</li>
        <li>
          <strong>Interaction Response</strong>  The GS sends an Interaction Response containing the Grant URI and an interaction object, and interaction.global.multi set to true.</li>
        <li>
          <strong>Read Grant</strong> The GC does an HTTP GET of the Grant URI.</li>
        <li>
          <strong>Interaction Transfer</strong> The GC transfers User interaction to the GS.</li>
        <li>
          <strong>User Authentication</strong> The GS authenticates the User.</li>
        <li>
          <strong>Grant Response</strong> The GS responds with a Grant Response including the identity claim from User authentication and interaction.global.multi set to true.</li>
        <li>
          <strong>Grant Evaluation</strong> The GC queries its User database and does not find a User record matching the identity claim.</li>
        <li>
          <strong>Update Grant</strong> The GC creates an Update Grant Request <xref target="UpdateGrant" format="default"/> including the initial identity claims required and interaction.global.multi set to true, and sends it with an HTTP PUT to the Grant URI.</li>
        <li>
          <strong>User AuthN</strong> The GS interacts with the User to determine which identity claims in the Update Grant Request are to be granted.</li>
        <li>
          <strong>Grant Response</strong> The GS responds with a Grant Response including the identity claims released by the User and interaction.global.multi set to true.</li>
        <li>
          <strong>Grant Evaluation</strong> The GC evaluates the identity claims in the Grant Response and determines the remaining User identity claim required.</li>
        <li>
          <strong>Update Grant</strong> The GC creates an Update Grant Request <xref target="UpdateGrant" format="default"/> including the remaining required identity claims and interaction.global.multi set to false, and sends it with an HTTP PUT to the Grant URI.</li>
        <li>
          <strong>User AuthZ</strong> The GS interacts with the User to determine which identity claims in the Update Grant Request are to be granted.</li>
        <li>
          <strong>Interaction Transfer</strong> The GS transfers User interaction to the GC.</li>
        <li>
          <strong>Grant Response</strong> The GS responds with a Grant Response including the identity claims released by the User and interaction.global.multi set to false.</li>
      </ol>
      <ul spacing="normal">
        <li>
          <strong>multi</strong> - a new boolean attribute of the GNAP interaction.global object.</li>
      </ul>
      <t>A GS indicates support for this feature by returning the features.interaction_multi attribute in the GS Options response set to true.</t>
    </section>
    <section anchor="ErrorResponses" numbered="true" toc="default">
      <name>Error Responses</name>
      <ul spacing="normal">
        <li>TBD</li>
      </ul>
    </section>
    <section anchor="acknowledgments" numbered="true" toc="default">
      <name>Acknowledgments</name>
      <t>TBD</t>
    </section>
    <section anchor="iana-considerations" numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>TBD</t>
    </section>
    <section anchor="security-considerations" numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>TBD</t>
    </section>
  </middle>
  <back>
    <references>
      <name>Normative References</name>
      <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="BCP" value="14"/>
          <author initials="S." surname="Bradner" fullname="S. Bradner">
            <organization/>
          </author>
          <date year="1997" month="March"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
      </reference>
      <reference anchor="RFC4949" target="https://www.rfc-editor.org/info/rfc4949" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4949.xml">
        <front>
          <title>Internet Security Glossary, Version 2</title>
          <seriesInfo name="DOI" value="10.17487/RFC4949"/>
          <seriesInfo name="RFC" value="4949"/>
          <seriesInfo name="FYI" value="36"/>
          <author initials="R." surname="Shirey" fullname="R. Shirey">
            <organization/>
          </author>
          <date year="2007" month="August"/>
          <abstract>
            <t>This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed.  This memo provides information for the Internet community.</t>
          </abstract>
        </front>
      </reference>
      <reference anchor="GNAP" target="https://tools.ietf.org/html/draft-hardt-xauth-protocol">
        <front>
          <title>The Grant Negotiation and Authorization Protocol</title>
          <author initials="D." surname="Hardt">
            <organization/>
          </author>
          <date year="2020" month="June"/>
        </front>
      </reference>
    </references>
    <section anchor="document-history" numbered="true" toc="default">
      <name>Document History</name>
      <section anchor="draft-hardt-gnap-advanced-00" numbered="true" toc="default">
        <name>draft-hardt-gnap-advanced-00</name>
        <ul spacing="normal">
          <li>Initial version</li>
        </ul>
      </section>
      <section anchor="draft-hardt-gnap-advanced-01" numbered="true" toc="default">
        <name>draft-hardt-gnap-advanced-01</name>
        <ul spacing="normal">
          <li>renamed verb to method</li>
          <li>renamed Authorization to Access</li>
          <li>renamed Client to Grant Client (GC)</li>
        </ul>
      </section>
    </section>
    <section anchor="gs-api-table" numbered="true" toc="default">
      <name>GS API Table</name>
      <t>Below is a consolidated table of GS APIs from <xref target="GNAP" format="default"/> and this document:</t>
      <table align="center">
        <thead>
          <tr>
            <th align="left">request</th>
            <th align="left">http method</th>
            <th align="left">uri</th>
            <th align="left">response</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">Create Grant</td>
            <td align="left">POST</td>
            <td align="left">GS URI</td>
            <td align="left">interaction, wait, or Grant</td>
          </tr>
          <tr>
            <td align="left">List Grants</td>
            <td align="left">GET</td>
            <td align="left">GS URI</td>
            <td align="left">Grant list</td>
          </tr>
          <tr>
            <td align="left">Verify Grant</td>
            <td align="left">PATCH</td>
            <td align="left">Grant URI</td>
            <td align="left">Grant</td>
          </tr>
          <tr>
            <td align="left">Read Grant</td>
            <td align="left">GET</td>
            <td align="left">Grant URI</td>
            <td align="left">wait, or grant</td>
          </tr>
          <tr>
            <td align="left">Update Grant</td>
            <td align="left">PUT</td>
            <td align="left">Grant URI</td>
            <td align="left">Interaction, wait, or Grant</td>
          </tr>
          <tr>
            <td align="left">Delete Grant</td>
            <td align="left">DELETE</td>
            <td align="left">Grant URI</td>
            <td align="left">success</td>
          </tr>
          <tr>
            <td align="left">Read Access</td>
            <td align="left">GET</td>
            <td align="left">Access URI</td>
            <td align="left">Access</td>
          </tr>
          <tr>
            <td align="left">Update Access</td>
            <td align="left">PUT</td>
            <td align="left">Access URI</td>
            <td align="left">Access</td>
          </tr>
          <tr>
            <td align="left">Delete Access</td>
            <td align="left">DELETE</td>
            <td align="left">Access URI</td>
            <td align="left">success</td>
          </tr>
          <tr>
            <td align="left">GS Options</td>
            <td align="left">OPTIONS</td>
            <td align="left">GS URI</td>
            <td align="left">metadata</td>
          </tr>
          <tr>
            <td align="left">Grant Options</td>
            <td align="left">OPTIONS</td>
            <td align="left">Grant URI</td>
            <td align="left">metadata</td>
          </tr>
          <tr>
            <td align="left">Access Options</td>
            <td align="left">OPTIONS</td>
            <td align="left">Access URI</td>
            <td align="left">metadata</td>
          </tr>
        </tbody>
      </table>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAP1lOF8AA808a1MbybXf51d0iaos2EggbK8XytmKeNhmrw0OgqSySWqr
mWmJuR7NKNMjZAL895xHd0/PQwIMZMPWrjSt7tPn1efZs91uN4iyMJUTtSOi
XI6K7oXMo6I7TuW0K6NLmYYq6m72gyIuEphzeqHEh1ymhThS46yIZRFnqZBp
JAaz4iLL43/zyJc8K7IwS0RXDAwU8V7JYpYrHUSyAFBbm1ub3c2fuv03QQgD
4yy/2hG6iIJ4mu+IIp/pYmtzc3tzK5C5kjtiqMJZHhdXQZilWqV6pmmWCgJJ
W+8EAv7iFIb3e+IjkkEjWT6WqcELoMTj9DDtHedj+jHPkCoVxUWW0wCzYj8O
v3og1ETGCTAIRnvEnz+NcaQXZhP6PcxmaYHon6VxAZQOCyBIB0Ga5RPY91Lt
BDDv5P3eVr+/vcNfX2+/3qbhD0eDL4z7d/KY18p8rIodcVEUU72zsVFkWaJ7
sSpGPWDAxkUxSTZ8AX9DpnWnPggWyy+zVIkf10k8NOxzV4iu+axzOgjidOSR
2+12hTzXRS7DQgTB6e4+j03iKEpAZiviEFiWRbMQaYEJF7EWoIqziQLC4zRM
ZpHSQkYgGpggEzEy6iNgG1E8VA9Xkc1r4voaP29v12nuFMDBhgBSTuIklqhe
9MPXNJsnKhorkY1IQD0g8MWLU5VP4jRLsvHVixd1nGcaACFeoyxJsnmcjkUB
82GGGsUpaEWcuu2BQS+JsUfm81f4HISh0tp9EWcnh/Cwl8h4Ap9M7V4S416r
H/bWYOxEjWMNmwBw/sHOc/OHKr9UOcwfrrkxhsvfT9S/ZkoX3rOe4vHCgaGZ
CYJSKEaU00txBNTmcbgPykIY6GyWh0ocz1Pc5+R4zR+125/Q9mda5cTHo6yQ
Rqp7WXoJiMODZpYq8VVdiXmWR1p0Pp8NTzvr/CmOjun7ycGfzw5PDvbx+/Dj
4NMn94VnBPBwfPbJ/I7fypV7x58/Hxzt8+LPg791WA86x19OD4+PBp86KKQC
xBroqQrjURwaxcqVKDJxruB3YAboDR5zibLVYR6fW+maI357C/qyp/JCwqg2
dqubq0TiMtaKEuQsjVSu4cBGvLsSaN5UUNEbYzEAskADoZUBY07KujifFQQz
zQqRxBOyQ0UG3JBFIcOvSDAqGvKaibIj7rDgQAhIM9kKOQmmdhRHuEYmQALN
AG3jAXxSaZhfTe1qnsrzNBhaBIGfdHBxkKw6frkEeBFtwgIALYlHVx1g21ma
oPJngGo+jzURpCKYliTEG2uyxFTmYKuBC2SzNcEBsKDO6DBEKDUzMkaL1AMb
NMwmbctZFPBYaDztUvwyPD5yx5rxwxm5Gqk8J66iSH6Rl3IIsp8WiCExsCfe
g2lS3+RkmoBERlnWO5c5L9S4DPHvwFBHnIN5VhIUqyhAfWaFsqLvwKqOyM7/
X4WFHSsNioFdRZG8iBDXzjIzjB1vhEZxY+My7dhtwP8N0CCzBfgsUzlWZNEG
Xw7BiR2mzgojDSB/IBZwQb7A94i+m8VwIszBYb1Fa8f+bE/AcQPF1MDR2RRF
vw6HJ1H4iZCiWIcZ2goDCgUWrKyIT7CCR7S4XsEnfrhlW+HBLX2CRilfgjJG
lukw7fwKGMZ44x4HpyJj7rKd6zGaQ0GmJiczGIl5XFzAbAKPnsDaTy3+8XfB
7k6Aa/snBBkAjrxFTWB5nuWazD25wFGeTcQBDjpTC3Rd04gbIPMBtJ8Rn8yu
1yv8SE8l9cxL7STgk/nx9PSL+HJ22qLWljFhlhtacY2jr8fwq0uIM8be1Mgk
snDIOriqeyFAxARw1PBfsIdwNB0SpVsKUBVQoI/cZoae5iUba+e5KsYOJVYZ
QMcboq/VhrdtquDJWBeAK4Q+rOO5E+Zq1ZGu++7TG/2rjMtJa8+gP+8djBi1
I83SrgtHnR2Zg5FV9oTM6eiATFinPNFY/vJxKEMy5hdgxwZIlBYI5Nwx33dE
/83b7c3XP25uvXq9Xk4BJSindGzcKnXPILeh0mgKqlxsjBGJDTP8quPBYAQ6
DVOXxVHYGOVdQTMwUm3aRzeFov1OOQATYVBr4/UE21Bxu96+HL2Rt/qhy6dx
SN6yXJ7OkqQx9zZofyotOhiQfTKwzoDwozUg1oKwFV5iQfYPPh2cHljdXG4x
Wk/N8f9BNrG5/gxKjkQaHI4pCkEnQc/msTSUIZAzVuwl9Gw6zXKMkLIpnE1e
iGnFQh5wgDh8BBOq+0LkcZFBhBsE//j7+9KPBMEzOJJaSnSXg3c+Pa0trDv3
MpfyPPFy314DiU6+9HMm7bGOjh9bPF0dr1aX1+rfysSqyWD0HT0xgCiz8RMJ
k2J/ckpRD6Xw4gXYuBcvRJcmF/HECS031lLimfLSJbMM7J5bViJkfpQ04H5P
1VzwkIUKrAeVvcsJQmRPq2wkuUwxJXswg0ot+H2WuMaYJSdvfq7L29ml1M5c
ZJnukPXvY5oGtCGFMhHlU/b0m/oFeGVT0UC6WLWoZoBJABPWMWbC5gGe+lp7
ZOMOZqyZUJpCHiht4cOM4WLGLzWH9+P8Pe3hMxhENIknYMcgSQghiOGCSfAF
EsArMSCDxd93IUsDRDEsQhXLzimdty7CxaKUqVL+eNUTBzK84O9AJdgSsBoE
pFK9wS388gzmHqAO82yWRHTOYwzK5pBrZRjxoAfHEzoCyrU5s4DH/Oscw0/I
SGE6JIvnqpgrRZoyYbuL2GHNRUzklbiQl1Rw8IoASkxmSRFjIIj2S6PFgoy/
UN8KDBqTTEMaVueU0DEghU5Alxuob6A6QFuIinhYz1o1Wib4bR2CZjXVog/W
7a34g9imvFrWQmk7mzLAZoBk5bTkz4ivufhl1/y9XLi2nNJcftP4smRK23Ij
/5tud7W/1u2KPcylbXw2EN2fcTmclgXLn2j3d1iH9bMSeF7dAnwesrs9Uvfe
/YmQB1RfrSEBJxCmlJzzWWfWvHwCIbrPszuxer3WwlaY0qV/8Av+AZr6vvw5
BeL0CE7XQqzUI1jNvHrXXX2zhljlj5Ya17Np4Amw+nGNRfokWP26GCv/UOCf
p1Ld1beVQ2HW3FuvGkfkWQ9IybuqWdkFSlZ/IkIsrYEjo3V3TJF7eWn2W3en
I/H9yNMxMDyvHZLaGVrdxoNVM02k+gt2rx2b9t1zUrL+5lqL4bgH8vjvgBTr
O2hvcJ53R6dAXqGUmzUZFcEtAO2G6mq3TG0e5hBpvcHlj5WQJgj6Pcheqv4M
shjrrCfyK1UYKhNsnmTCdxt0mXpsEGwhyLbqGQB2s3MFIXRKWYJX7XNxMcUz
ELbZyNqebt7hFe7gOxIP5Sjj3IPiXSoXjxoQIEJ5XUfSqp8HqjBDmoMlH88q
7YDSG4RH0waVbo0Dt1uJ4MoYDNb+WFnrEmRYejiycWW07uBYPHQZkNNiwCnC
xsgkTrFCGENEaxs7puKH0eVGo4Bq0xTLIZuQlp0uKuRR/vy2ri67HoHUYgDS
YkDNHoZKCbJuoRq1ZBIPPMvCheG2tQYRqIBox8PSlmQxZNYqjXBjF2ZzQeF4
eFoV1cBrG0CorFJ5ngDGTuIZ50RJtY5akoF7leT5wTow5ydkjkkQfKUvdZ7y
KKrVmh1/0PVgslqzbZAL22zfqbq7LrvQFfXA73ucm+A65DVw2qACkPubD9HE
wbNooqHgh6YKteljv1/yfLfJ80HJc4dhfTJmlljCKfWSyjiSiziuz2fMiCve
VMo2qNi2ZOPKTka7ZaXOiP26IbjKGO8+KGvArlc+DN0YDQ3Vv0xJhW2PRklx
24s13lX9rRCsxjQuF/Rsne9CYodNXcbZTCdXgprE4xlOJCscm+sYv2Gbp7Zb
ybi4sIqg0Y4ect/dyxVNb84aA+mdlcVa+WHvB11HYSq19puUwEDTMr2H+2v4
wZf1kZcuJgDWLAsD3N9NI+C4YSLK8EJUviwFxZ/vTE75sxl5BKj6SB3UOxMo
O/Vj32zKEH5Ah/EcZZbdBijI4p4GK7454KVgnj/v+n8/N0E1JFj7/W6sWlnj
5REuGOtSouUY8Rj5fL/qBiZOI2XzLD8YKlOnu5clNv1Csh7oYltssthoNlgR
iGnMu2572+le3FyhiLBi9qzalRQ8yDasU+eDbAOYnfzKu1Ti6Md+nuiQq/iN
epbWjtFlEzDQNrY8O/kEgUCYRc4ce1GmCZv/gtpahnTGoJIO24KaW4p1sdxK
QpqAg+uO9GTEQHdqdM+EoqX2l+CXh7KM5JvS/3nez/HUd36yptu2HVLhrPF9
JjSwqKK2mIhcizQzTAdNGeVyPCEf8zGbW9OfKImhvVlcdyxpWSs1HkWLbEb3
NHSYTY2n9W7o8ZUSVomDb+DbtKuHY4HU1nmNigLyUTyCaAjFVtY3rTIRlEhN
FWspWMAYL1nQsEywh3YFq3CT0gX2xK5f6aeydi4mGVDARwh0IK+F0TY8oJDX
n8VRgo1aC7qSQ5PMrohnPiv9qH+rQlZmVu4gmW5QW9rFh5a1HthKXex4ZOFf
ULuLApjyqoShzurbXnkxx5AClDAJI5loApdmhVEoRm9ZEEXdfNfjwtgSb3Ty
BVJLSYWN6xh21OIqpANVY8D2LzJ51bJuDSed9tzbi6k9xOa3NqYaFtm+jEtO
fQxQNT/bcrzHflZSrJPDvzouZsaYVq5uYD8HGEd9rKm5b0bPGDfqr9zOgTzo
ntFze2hmL43UQrQ9m8hzEl7ZoR7Be2cnBtjHdKAYiDnstTluD9v9LU8G0VTe
RamTxumC4Tyo3WTquwTub0WufOBchEMqA/k0rrqYi4Chii8xf1mIm3MeOV4m
IU2p42ezoN4jQlETQ9jy0L1iiEoVzQ6b4LFWOmwNnhbFLdRKEn9ks1Dbc/nK
Zdi2rmw0MLwoq+xk/K9g29axeP7A1BtpTS1aOxaudFoP4it4PmNq8QBQ70xE
/SRYcetiecLTHtVTp6J7N4Grb9cejNUCUOoSi/I3pqzfrV4TXa5Xd/Hq7mPx
zlTkn4ztv34X26l0fw+2N7FaQGLj9GIx/skF1kfj9BwC4/CpDSsqDLxa+28I
7EGgqt/uNPGeaVrtg+VqmqdmjeFZsFqskW9aNfJuU75Ahr9zpcAOLej3NBs+
Zb5ZT+ptDrPK02lwzUuEmmEjlcdL6ffGSXYukx5zyoua71u0h6Dnfm0lk/Ay
RIDUGmW09pQo002jeiPKT9PuQ1GzK/WwPH5ZP+rUFgzuakdBqrq0E2W4tLwR
9X3FhNpNuJpeUPGDc+wKTg9h79sSuQNMZmu1GCxJxKb5xEm+LOQ5vkxEV1lR
BPiK1ShGWfMMSAiyPBITWYQX7YhjGkVdHd/0txyYtOob7MG5vvbf/bit84gK
I80MyGYYT3Oayju1vrptV5Tk6IGFxPaWjkmYWznR2rvZfCZ1QxZCWqqBhZD0
OxIeoGt+W6lN2RSPmdOzgBE1jEkNLQt1LcvkE109NC7TBCXsbz2XFpY4OL1r
qwvfxThygt+hiP1XFU389ffRxDut7/A+1ncPQT2iIPtcSk2yMcU5+sGrzTVf
aLTOCYtwTcjlxfTH19086L8xwt9RfQtWmreHV2q3h91lY3ypIrQviWNtWZtX
3FfE4eBogG81a2C7uU0duB/t/8OgMcG9H38uw684c9++dfcx1kWWX9H97iX/
h4bNoGvaIgm2EzS9VL98SR+W5ArbGxEuOUdm8D1s74fqqxYww7ylXs4wASL8
1HxFnbvUgy+H4hQvSATBrkqyOb+Rhv8bh4zfAo5EgT/TK5Y0XbOnd01ybrl4
tfydILhxF4gqoS++SGbvzd/Qm4bej072+Bfc7CDH68FzZaw2hR9h60qdzEKn
iNM9mX6NffSUdF3MZczFWgYAAP33XEsQB6diIUBeiq+mwvK/cBe0hs/gdO9j
bb6BcFPu7JWlFu5cXeqwH1sYFQvptj9bAuNwOTsqb65ZEOZ1j3aAesavHViK
zFsICyjyXqXwHktK/NV1Shaurb7X0op0ba2HtGehyq3sexatCgBKLjE4pdWV
d+DaV1f55a+uvTfStrqGuFstgv8AnAtCSURGAAA=

-->

</rfc>
