Access Requests and Grants

Starting in version 2.0, Inrupt’s Enterprise Solid Server (ESS) provides support for access requests and grants [1]. With access requests and grants:

• An agent can request access to Resource(s) hosted on a Pod. This access request includes the specific access mode (e.g., read, write, append), the Resource(s) to access, etc.

• The owner of the requested Resource(s) (i.e., individuals with Control access to the requested Resource(s)) can review the access request and either grant the access request (resulting in an access grant) or deny the access request (resulting in an access denial).

• If the requesting agent has an access grant, the requesting agent can exchange the access grant for an access token in order to access the Resource(s).

Important

Starting in version 2.1 of ESS:

• An access request that specifies a Container also applies to the Container’s descendants unless explicitly specified otherwise in the request with an inherit: false.

• An access grant that specifies a Container also applies to the Container’s descendants unless explicitly specified otherwise in the approved access grant with an inherit: false.

To set the inherit field in access requests/access grants, version 2.1.+ of @inrupt/solid-client-access-grants-js adds an inherit: <boolean> option to issueAccessRequest and approveAccessRequest.

In the previous version of ESS, access request/grant applied only to the explicitly stated resource or resources in the access request/grant, regardless of whether the resource is a Container, an RDF Resource, or a non-RDF Resource.

Inrupt Client Library

To support ESS’ access requests and grants feature, Inrupt provides the @inrupt/solid-client-access-grants library. [2] This library contains APIs to manage access requests and grants issued by ESS. [3]

npm install @inrupt/solid-client-access-grants

Usage Scenario

In the following usage scenario, a user wants to print some photos that are stored in the user’s Pod. The user visits the ExamplePrinter’s web application which provides photo printing services. When the ExamplePrinter’s web application asks for the photos to print, the user enters the URLs of the photos. To continue, the ExamplePrinter’s website asks for access to read the photos.

For example, assume the user snoringsue with the WebID (https://id.example.com/snoringsue) is on ExamplePrinter’s web application to print the following photos:

• "https://storage.example.com/someContainer/myphotos/apples.jpg"

• "https://storage.example.com/someContainer/myphotos/persimmons.jpg"

• "https://storage.example.com/someContainer/myphotos/grapes.jpg".

The following diagram gives an overview of the flow (in the example, the access request and grants serialized as VCs)

Sequence diagram of the Access Request flow where snoringsue is requested access to her photos by ExamplePrinter and approves the request.

Next Steps

Manage Access Requests	To make access requests. If access is granted, use the Access Grants to access the resource (such as the ExamplePrinter application in above diagram).
Manage Access Grants	To approve or deny access requests (such as the Access Management application in above diagram).
Use Access Grants to Access Resources	To use approved Access Grants to access Pod resources (such as the ExamplePrinter application in above diagram).

[1]

ESS serializes the access requests and grants as Verifiable Credentials (VCs).

[2]

Inrupt’s PodBrowser also supports access requests and grants. Specifically, using the @inrupt/solid-client-access-grants library, PodBrowser provides the functionality to grant or deny the requests. That is, PodBrowser can act as a request management app.

[3]

ESS uses ACP policy to enable the use of access grants for a resource. The @inrupt/solid-client-access-grants API can handle the enablement when granting access for a resource.