Require grants for fewer resource

[wilsonianb]

Are grants necessary for incoming payments and quotes?

Outgoing payments are currently the only resource utilizing grant limits.

open-payments/openapi/schemas.yaml

Lines 151 to 171 in ae0e924

	limits-outgoing:
	title: limits-outgoing
	description: Open Payments specific property that defines the limits under which outgoing payments can be created.
	type: [object, "null"]
	properties:
	receiver:
	$ref: '#/components/schemas/receiver'
	sendAmount:
	$ref: '#/components/schemas/amount'
	receiveAmount:
	$ref: '#/components/schemas/amount'
	interval:
	$ref: '#/components/schemas/interval'
	anyOf:
	- not:
	required:
	- interval
	- required:
	- sendAmount
	- required:
	- receiveAmount

We've landed on only needing to store grants with outgoing payments in Rafiki. (There doesn't seem to be a need to know/audit the grant used to create an incoming payment or quote.)

• chore(backend): replace GrantReference with OutgoingPaymentGrant rafiki#800 (comment)

Limiting quote reads complicates the necessary access to create a corresponding outgoing payment:

• Require read quote access on outgoing payment creation #234

Grants aren't necessary to rate-limit clients.

It seems like this might come down to how important it is to enforce read/read-all and list/list-all?
Is listing Open Payments resources (via the Open Payments API) even necessary?

We can restrict incoming payment /complete commands to the same client that created the incoming payment with httpsig.

Does deprecating description/externalRef make access control less necessary?

• Deprecate description and externalRef in favor of metadata #221

Does migrating from resource-based grants to scheme(?)-based grants [citation needed] resolve this issue?