Access Requests and Grants#

Starting in version 2.0, Inrupt’s Enterprise Solid Server (ESS) provides support for access requests and grants [1]. With access requests and grants:

  • An agent can request access to Resource(s) hosted on a Pod. This access request includes the specific access mode (e.g., read, write, append), the Resource(s) to access, etc.

  • The owner of the requested Resource(s) (i.e., individuals with Control access to the requested Resource(s)) can approve or deny the access request:

    • For an approved request, ESS creates an access grant with an approved status.

    • For a denied request, ESS creates an access grant with a denied status.

  • If the requesting agent receives an access grant, the agent can use the grant to access the Resource(s).

Inrupt Client Library#

To support ESS’ access requests and grants feature, Inrupt provides the @inrupt/solid-client-access-grants library. [2] This library contains APIs to manage access requests and grants issued by ESS. [3]

npm install @inrupt/solid-client-access-grants

Usage Scenario#

In the following usage scenario, a user wants to print some photos that are stored in the user’s Pod. The user visits the ExamplePrinter’s web application which provides photo printing services. When the ExamplePrinter’s web application asks for the photos to print, the user enters the URLs of the photos. To continue, the ExamplePrinter’s website asks for access to read the photos.

For example, assume the user snoringsue with the WebID (https://id.example.com/snoringsue) is on ExamplePrinter’s web application to print the following photos:

  • "https://storage.example.com/someIdentifier/myphotos/apples.jpg"

  • "https://storage.example.com/someIdentifier/myphotos/persimmons.jpg"

  • "https://storage.example.com/someIdentifier/myphotos/grapes.jpg".

The following diagram gives an overview of the flow (in the example, the access request and grants serialized as VCs)

ExamplePrinter sends an access request to snoringsue's Access Management app, where she can approve or deny said access. The resulting Access Grant is sent back to ExamplePrinter's app which uses it in order to access snoringsue's resources on her Pod.

Sequence diagram of the Access Request flow where snoringsue is requested access to her photos by ExamplePrinter and approves the request.#

Next Steps#

Manage Access Requests

To make access requests. If access is granted, use the Access Grants to access the resource (such as the ExamplePrinter application in above diagram).

Manage Access Grants

To approve or deny access requests (such as the Access Management application in above diagram).

Use Access Grants to Access Resources

To use approved Access Grants to access Pod resources (such as the ExamplePrinter application in above diagram).