Access Requests and Grants

New in version 2.0.

Starting in version 2.0, ESS supports an authorization mechanism based on access requests and grants. With access requests and grants:

1. An agent sends an access request to the resource owner. In ESS 2.0, the access request is serialized as a VC. This request includes the specific access level (e.g. read, write, append), the resource(s) to access, etc.

2. The resource owner decides to deny or grant the access request. If the resource owner decides to grant access, the resource owner:

   • Creates a record of the grant. In ESS 2.0, the access grant is serialized as a VC.

   • Can revoke the access grant in the future.

3. If granted access, the agent can exchange the access grant for an access token in order to access the resource.

ACP

ESS uses Access Control Policy (ACP) to define the policies that determine access to Pod’s resources.

For details, see Access Control Policy (ACP).

Services to Support Access Requests and Grants

To support access requests and grants, ESS adds the following services:

• Verifiable Credential service. In ESS 2.0, access requests and grants are serialized as a VC. The Verifiable Credential service is responsible for issuing, verifying, and revoking Verifiable Credentials.

• User Managed Access Grant 2.0 (UMA) authorization service to exchange the access grants for an access token.