Access Requests and Grants#
New in version 2.0.
Starting in version 2.0, ESS supports an authorization mechanism based on access requests and grants. With access requests and grants:
An agent sends an access request to the resource owner. In ESS, the access request is serialized as a VC. This request includes the specific access mode (e.g.
Append), the resource(s) to access, etc.
The resource owner decides to deny or grant the access request. If the resource owner decides to grant access, the resource owner:
Creates a record of the grant. In ESS, the access grant is serialized as a VC.
Can revoke the access grant in the future.
If granted access, the agent can exchange the access grant for an access token in order to access the resource.
ESS uses Access Control Policy (ACP) to define the policies that determine access to Pod’s resources. To enable the use of access grants for a resource, the resource must have an Access Control Policy (ACP) that includes :
A VC Matcher Type of
The allowed access mode(s) (
The policy only enables the use of access grants on that resource for the allowed access modes. To determine the access for an agent using an access grant, ESS uses the intersection of:
The allowed access specified by the resource’ ACP, and
The granted access specified in the access grant for that resource.
A resource has an ACP that enables the use of access grants for
An agent has an access grant for that resource that allows
Then, the agent can use the access grant to
Read the resource
only. The agent cannot use the access grant to
resource, even though the access grant specifies both
For more information on ACP, see Access Control Policy (ACP).
Services to Support Access Requests and Grants#
To support access requests and grants, ESS provides the following services:
Access Grant Service. The Access Grant service is responsible for issuing, verifying, and revoking Verifiable Credentials.
User Managed Access Grant 2.0 (UMA) service to exchange the access grants for an access token.
Authorization Service to manage the ACPs.