Use Access Grants to Access Resources#
AccessGrantSession#
The inrupt-client-accessgrant module provides an
AccessGrantSession that builds an authenticated Session object
using both:
an OpenID-based session and
one or more access grants.
Then, a SolidClient/SolidSyncClient can use this session to access resources using the approved access grant(s).
Continuing the example from Create Access Requests/Grants, ExamplePrinter backend server, with the appropriate access grants, can access the resource(s) for printing.
For convenience, ExamplePrinter’s backend server’s code to instantiate AccessGrantClient for ExamplePrinter is repeated here:
public class ExamplePrinterRequestingClass {
private final URI PS_ACCESS_GRANT_URI = URI.create("https://vc.inrupt.com");
private Session session; // Session for ExamplePrinter.
// ... Logic to initialize the ExamplePrinter's session has been omitted for brevity.
private final AccessGrantClient accessgrantClient = new AccessGrantClient(PS_ACCESS_GRANT_URI)
.session(session);
// ...
// ...
}
1. Get the Access Grant(s) to Use#
Note
The user can only access those access grants where the user is the creator of the access grant (i.e., the grantor) or the recipient of the access grant (i.e., the grantee). That is, the ESS’ Access Grant service only returns those access grants where the user is the creator or the recipient.
If the Access Grant’s id is known, the application can directly retrieve the access grant using AccessGrantClient.fetch with the Access Grant’s id.
Note
The fetch operation can return expired or future access grants.
// String grantID = "https://vc.{ESS DOMAIN}/vc/xxxxxx...";
AccessGrant accessGrant = accessgrantClient.fetch(URI.create(grantID), AccessGrant.class)
.toCompletableFuture()
.join();
The application can use AccessGrantClient.query to query for
active (i.e., current and not expired) access grants. To use
AccessGrantClient.query for access grants, you can pass in
a CredentialFilter object CredentialFilter<AccessGrant> that
specifies the query filter values (i.e., a combination of the resource, creator,
recipient, purpose, and type).
You can use CredentialFilter.Builder and its methods to build a CredentialFilter for access grants:
Method |
Descriptions |
|---|---|
Optional. Include a credential status in the query object. The following values are supported for access grants:
|
|
Optional. Include the creator of the access grant in the query filter. This is the resource owner. |
|
Optional. Include the recipient of the access grant
in the query filter. This is the agent that is granted access.
In the example, the value is the ExamplePrinter’s WebID
|
|
Optional. Include the resource in the query object. Use this filter to return access grants bound to a specific resource. |
|
Optional. Include a purpose in the query object. Use this filter to return access grants bound to a specific purpose. |
|
Optional. Include a time constraint on the issuance date in the query object. All matched credentials will have been issued within the provided duration value. Certain time constraints are available for use with this method, including: |
|
Optional. Include a time constraint on the revocation date in the query object. All matched credentials will have been revoked within the provided duration value. Certain time constraints are available for use with this method, including: |
|
Builds the CredentialFilter object. To build a query object for access grants (i.e.,
|
The following example queries for active access grants, given to ExamplePrinter, that provide access for a specific resource for the purpose of photo printing. Specifically,
The example uses the CredentialFilter.Builder and its methods to:
Specify the resource
.resource(...), the purpose.purpose(...), and the status.status(CredentialStatus.ACTIVE), andBuild
.build(AccessGrant.class)aCredentialFilter<AccessGrant>.
Calls AccessGrantClient.query with the built
CredentialFilter<AccessGrant>object.CredentialFilter<AccessGrant> accessGrantFilter = CredentialFilter .newBuilder() .status(CredentialFilter.CredentialStatus.ACTIVE) .resource(URI.create("https://storage.example.com/some/resource")) .purpose(URI.create("https://purpose.example.com/PhotoPrinting")) .build(AccessGrant.class); CredentialResult<AccessGrant> result = accessgrantClient .query(accessGrantFilter) .toCompletableFuture().join();
Navigate through the response CredentialResult object.
List<AccessGrant> items = result.getItems(); if (result.nextPage().isPresent()) { CredentialResult<AccessGrant> page2 = agClientForUser .query(result.nextPage().get()) .toCompletableFuture().join(); }
From the list, the agent can select the access grant to use.
2. Create an AccessGrantSession#
To instantiate an AccessGrantSession, call the constructor with the following parmeters:
Access Grants to Use
For example, the following code instantiates an AccessGrantSession using both the ExamplePrinter’s OpenID Session and the access grant:
Session agSession = AccessGrantSession.ofAccessGrant(session, accessGrant);
3. Create a Solid Client#
To access the resource with access grants, create a SolidSyncClient or SolidClient using the AccessGrantSession:
SolidSyncClient client = SolidSyncClient.getClient().session(agSession);
4. Access the Resource#
Use the SolidSyncClient.send() method to access the non-RDF resources and SolidSyncClient.read() method to read RDF resources.
For example, the following code uses the client associated with ExamplePrinter and the access grants to read the image file (a Non-RDF resource) at the resource URL:
SolidNonRDFSource resource = client.read(URI.create("https://storage.example.com/some/resource"), SolidNonRDFSource.class).toCompletableFuture().join();
Tip
If you receive an HTTP 403 Forbidden error, check that you have
enabled the use of access grants for the resource.