Manage Access Grants#

Upon receipt of an access request, resource owners (i.e., individuals with Control access to the requested Resource(s)) can grant or deny the access request. For either decision, a record of the decision is created. This record can be sent to the access requestor in response.

Access Requests and Grants

The following Inrupt products are available to support Access Requests and Grants:

  • solid-client-access-grants library for managing access requests and grants

  • Inrupt’s Enterprise Solid Server (ESS) provides support for access requests and grants. ESS serializes the access requests and grants as Verifiable Credentials (VCs).

  • Inrupt’s PodBrowser supports access request management.

Inrupt’s solid-client-access-grants library provides various functions for approving or denying access requests; for example:

approveAccessRequest

Creates an approved Access Grant, serialized as a signed Verifiable Credential. [1] The Access Grants may be used to get access to specified resources.

A server-side code can use the function to create the Grant.

denyAccessRequest

Creates a record for a denied Access Grant, serialized as a signed Verifiable Credential.

A server-side code can use the function to deny the request.

The following implements the role of the Access Management app in the example introduced in Access Requests and Grants. The role of the Access Management app is to act as a trusted third-party in the Access Request flow.

Granting Access#

The access requestor (e.g., ExamplePrinter) sends the Resource Owner (e.g., snoringsue) to the Resource Owner’s Access Management app.

Note

When sending resource owner to the Access Management app, the requestor adds the following query parameters:

  • id of the Access Request (in the example, the id of the Access Request VC), and

  • redirectUrl, the URL where the requestor expects the Access Management app to redirect the Resource Owner after access has been granted or denied.

In order to approve or deny an Access Request:

  1. The resource owner should log in to the Access Management app, if not already.

  2. The Access Management app displays the Access Request (found in the requestVc parameter) to the Resource Owner.

  3. The Resource Owner approves or denies the Access Request.

    • If the Resource Owner approves the request, the Access Management app uses approveAccessRequest to return the id of the Access Grant VC. Optionally, the Access Management application may allow the user to grant access partially, such as to a subset of the requested resources or permissions.

      async function getApprovedGrantVC(accessRequestToApprove, resourceOwnerSession){
      
        // Call `approveAccessRequest` to acquire a Verifiable Credential
        // for the approved access grant
        const accessGrant = await approveAccessRequest(
          accessRequestToApprove,
          undefined,  // Optional modifications for partial access grant
          {
            fetch: resourceOwnerSession.fetch, // From the resource owner's (i.e., snoringsue's) authenticated session
          }
        );
      }
      
    • If the Resource Owner denies the request, the Access Management app uses denyAccessRequest to return the id of the denied Access Grant VC.

      async function getDeniedGrantVC(accessRequestToDeny, resourceOwnerSession){
      
        // Call `denyAccessRequest` to acquire a Verifiable Credential
        // for the denied access grant
        const accessGrant = await denyAccessRequest(
          accessRequestToDeny,
          {
            fetch: resourceOwnerSession.fetch, // From the resource owner's (i.e., snoringsue's) authenticated session
          }
        );
      }
      
  4. After having received the Access Grant, the Access Management app redirects the user to the requesting app using the redirectUrl parameter received earlier. The id of the approved or denied Access Grant is added to the redirect URL. The requesting app can use getAccessGrantFromRedirectUrl to get the access grant.

    The requesting app can pass the id of the VC to getAccessGrant to retrieve the Access Grant.