Create Access Requests/Grants
AccessGrantClient
AccessGrantClientThe inrupt-client-accessgrant module provides an AccessGrantClient that interacts with the ESS Access Grant Service to create/verify/query/fetch Access Requests and Grants.
To interact with the service, the AccessGrantClient has the following methods:
Creates Access Requests.
Creates Access Grants.
Updates the status of the Access Requests/Grantss to revoked.
Queries for Access Requests and Grants.
Creates Access Request denials.
Performs validation checks on Access Requests/Grantss, such as signature validation, date validation, etc.
To instantiate an AccessGrantClient, you need to pass in the URI of the ESS Access Grant Service. For example, the Access Grant service for Inrupt’s PodSpaces runs at https://vc.inrupt.com.
Create an Access Request
An application can use AccessGrantClient.requestAccess to create an Access Request.
For example, a user visits an ExamplePrinter’s website which provides photo printing services. When the ExamplePrinter’s web application asks for the photos to print, the user enters the URLs of the photos that are located in the user’s Pod. To continue, the ExamplePrinter’s backend server uses AccessGrantClient.requestAccess to create Access Requests to read the photos.
1. Instantiate the Requestor’s AccessGrantClient
To instantiate an AccessGrantClient, call the constructor with the following parameters:
Access Grant Service URI
The root URL of the ESS Access Grant service.
Authenticated Session
The authenticated session of the requestor.
For example, the following instantiates an AccessGrantClient for ExamplePrinter using the Inrupt PodSpaces Access Grant Service URI and ExamplePrinter’s authenticated session:
2. Create the Access Request
To create an Access Request, call AccessRequest.requestAccess with the request details:
Resource Owner
The WebID of the agent who controls access to the requested resource(s).
Requested resource(s)
Resource(s) to which the access is being requested.
Requested access mode(s).
Requested access modes. Available modes are:
"Read","Write", and"Append".
Optional. Purpose(s) for the request.
URI(s) indicating the stated purpose(s) for the request.
Optional (but Recommended) Expiration Date.
Expiration date of the Access Request and subsequent Access Grant, if approved.
ESS Access Grant Service may be configured to issue Access Requests and Grants with earlier expiration date.
The AccessRequest.requestAccess accepts:
request details as AccessRequest.RequestParameters, which is a collection of the request parameters; or
request details as individual parameters.
AccessGrantClient.requestAccess(AccessRequest.RequestParameters) accepts the Access Request details as AccessRequest.RequestParameters. To build the AccessRequest.RequestParameters object, you can use AccessRequest.RequestParameters.Builder and its methods.
For example, the following code uses:
AccessRequest.RequestParameters.Builder to specify the request details (i.e., the resource owner, the resources, the modes, the purposes, and the expiration); and
ExamplePrinter’s instantiated AccessGrantClient to create the request (i.e., the requestor is ExamplePrinter).
AccessGrantClient.requestAccess(URI recipient, Set<URI> resources, Set<String> modes, Set<URI> purposes, Instant expiration) can accept the request details as individual parameters:
For example, the following code uses ExamplePrinter’s instantiated AccessGrantClient to create a Read request:
Create an Access Grant
Resource owners can use their access management application to view Access Requests made to them and decide whether to grant the requested access or not. If the resource owner decides to grant an Access Request, the access management application can call AccessGrantClient.grantAccess to create an Access Grant. Optionally, the application can also call AccessGrantClient.verify to verify the Access Request before displaying it to the user.
For example, the user (the resource owner) who visited ExamplePrinter’s website to print pictures can login to a trusted access management application. The access management application can display the Access Request made to the user by the ExamplePrinter. If the user decides to grant the requested access, the application can create an Access Grant. The access manage application has a backend server that uses various AccessGrantClient methods, namely:
1. Instantiate the Grantor’s AccessGrantClient
To instantiate an AccessGrantClient for the grantor/resource owner, call the constructor with the following parameters:
Access Grant Service URL
The root URL of the ESS Access Grant service
Authenticated Session
The authenticated session of the user (the resource owner).
For example, the following instantiates an AccessGrantClient using Inrupt PodSpaces Access Grant Service URI and the resource owner’s session:
2. Get the Access Requests Made to the User
If the Access Request’s id is known, the application can directly retrieve the Access Request using AccessGrantClient.fetch with the Access Request’s id.
The fetch operation can return expired or future Access Requests.
3. Verify the Requested Access
To verify the Access Request, use AccessGrantClient.verify, passing it the Access Request.
For example, the following example uses AccessGrantClient.verify to verify an Access Request, checking for errors and warning.
4. Create the Access Grant
For a valid Access Request, if the resource owner decides to grant the requested access, the application can call AccessGrantClient.grantAccess, passing in the specific Access Request to grant.
For example:
Last updated