/derive
Endpoint#
Added in version 2.0.
Starting in version 2.0, ESS supports an authorization mechanism based on access requests and grants.
ESS serializes the access requests and grants as Verifiable Credentials (VCs) and provides an endpoint that queries access requests/grants VCs and returns the matching VCs in a Verifiable Presentation.
Warning
As of ESS 2.3, this endpoint has been deprecated. Please use the /query
endpoint instead.
/derive
Endpoint#
The ESS Access Grant service provides an endpoint with the following URL:
https://vc.<ESS DOMAIN>/derive
Note
Access to the /derive
endpoint requires users to be
authenticated. The endpoint supports the use of either
Solid-OpenID Connect (OIDC) access token or, starting in version 2.1, UMA
token.
To query for/derive access requests/grants, clients can send a derivation request to the endpoint:
Method: |
|
---|---|
Content-Type |
|
Endpoint: |
|
Payload: |
Derivation request object. See Input: Verifiable Credential for details. |
Behavior#
The ESS’ /derive
endpoint implements the derive credential portion of
the VC API specification [4]
with the following exceptions:
ESS’
/derive
endpoint returns a Verifiable Presentation instead of a VC.ESS’
/derive
endpoint, by default, excludes both expired VCs (i.e., VCs withexpirationDate
in the past) and future VCs (i.e., VCs withissuanceDate
in the future). To override, see options.
The endpoint queries the user-associated access requests/grants (regardless of revocation status) to return a Verifiable Presentation (VP) that contains the matching access requests/grants VCs.
User-associated access requests are requests that have either:
The
credentialSubject.id
set to the user’s WebID (i.e., the request is created by the user); orThe
credentialSubject.hasConsent.isConsentForDataSubject
set to the user’s WebID (i.e., the request is made to the user).
User-associated access grants are grants that have either:
The
credentialSubject.id
set to the user’s WebID (i.e., the grant is created by the user); orThe
credentialSubject.providedConsent.isProvidedTo
set to the user’s WebID (i.e., the grant is given to the user).
Input: Verifiable Credential#
The endpoint accepts a JSON document of the form:
{
"verifiableCredential": <VC to filter/query by>,
"options": {
"include": "ExpiredVerifiableCredential"
}
}
|
Specify a filter access request/grant VC. The filter VC acts similarly to a “search-by-example” model and can be minimal (i.e., can be missing fields or have empty values such as an empty array, an empty document) or comprehensive. However, if any of the following field paths appear in the filter VC and are non-empty, ESS Access Grant services uses these non-empty field paths to filter access requests/grants VCs: |
|
Optional. Specify the "options": {
"include": "ExpiredVerifiableCredential"
}
Omit to exclude the expired and future VCs. If you specify a different option or value (such as |
Filter Paths#
id
#
If the id
field is present in the filter access requests/grants VC,
the ESS Access Grant service considers the field for filtering
user-associated access requests/grants.
"id": <value>
If the id
(i.e., the URL) of an access request/grant is known, you
can use the id
filter field to return a specific access
request/grant in the output. [1]
type
#
If the type
field is present in the filter access request/grant VC,
the ESS Access Grant service considers the field for filtering
user-associated access requests/grants VCs.
"type": <value(s)>
Note
If the type
value is a non-empty array, matching VCs must
include all elements in that array. The matching VCs can have
additional elements in the array; that is, the matching VCs are not
restricted to just the elements specified in the filter array.
You can use the type
field to query specifically for access
requests or specifically for access grants.
For Access Requests#
To query for Access Requests, you can specify filter "type": [
"SolidAccessRequest" ]
:
"type": [ "SolidAccessRequest" ]
For Access Grants#
To query for Access Grants, you can specify "type": [
"SolidAccessGrant" ]
:
"type": [ "SolidAccessGrant" ]
credentialSubject
#
If the credentialSubject
field is present in the filter access
requests/grants VC, and is not empty (i.e., it is not an empty
document and contains at least one non-empty field path), the ESS Access Grant service considers the
non-empty credentialSubject
field path(s) to filter user-associated
VCs.
"credentialSubject": {
"id": <value>,
<"hasConsent"|"providedConsent">: {
//...
}
}
For Access Request VCs#
In access requests, the credentialSubject
field contains an id
field and a credentialSubject.hasConsent
field. When querying for
access requests, you can query by any non-empty combination of the
fields.
"credentialSubject": {
"id": <value>, // The requestor's WebID
"hasConsent": {
"mode": <value or array of values>
"hasStatus": <value>,
"isConsentForDataSubject": <value>, // The resource owner's WebID
"forPersonalData": <value or array of values>,
"forPurpose": <value or array of values>
}
}
Note
For fields that can be a single value or an array of values,
A single value is equivalent to an array with a single element.
To filter by an array, matching VCs must include all elements in the provided array. However, the matching VCs can have additional elements in the array; that is, the matching VCs are not restricted to just the elements specified in the filter array.
That is:
<field>: "foo"
condition would match:<field>: "foo"
<field>: [ "foo" ]
<field>: [ "foo", "other string" ]
<field>: [ "foo" ]
condition would match:<field>: "foo"
<field>: [ "foo" ]
<field>: [ "foo", "other string" ]
For Access Grant VCs#
In access grants, the credentialSubject
field contains an id
field and a credentialSubject.providedConsent
field. When querying
for access grants, you can query by any non-empty combination of the
fields.
"credentialSubject": {
"id": <value>, // The resource owner(grantor)'s WebID
"providedConsent": {
"mode": <value or array of values>,
"hasStatus": <value>,
"isProvidedTo": <value>, // The grant recipient's WebID
"forPersonalData": <value or array of values>,
"forPurpose": <value or array of values>
}
}
Note
For fields that can be a single value or an array of values,
To filter by an array, matching VCs must include all elements in their array. However, the matching VCs can have additional elements in the array; that is, the matching VCs are not restricted to just the elements specified in the filter array.
That is:
<field>: "foo"
(or<field>: ["foo"]
) condition would match:<field>: "foo"
<field>: [ "foo" ]
<field>: [ "foo", "other string" ]
<field>: [ "foo", "bar" ]
condition would match:<field>: [ "foo", "bar" ]
<field>: [ "foo", "bar", "something else" ]
Empty credentialSubject
#
ESS Access Grant service only considers non-empty credentialSubject
field
path(s) to filter user-associated access requests/grants. Empty credentialSubject
field path(s) are not considered as part of the filter. Examples of empty
credentialSubject
field paths are:
"credentialSubject": {
}
"credentialSubject": {
"hasConsent": {}
}
"credentialSubject": {
"hasConsent": {
"mode": [],
"forPersonalData": []
}
}
"credentialSubject": {
"providedConsent": { }
}
"credentialSubject": {
"providedConsent": {
"mode": []
}
}
issuer
#
If the issuer
field is present in the filter access request/grant
VC, the ESS Access Grant service considers the field for filtering
user-associated access requests/grants VCs.
"issuer": <value>
Output: Verifiable Presentation#
The /derive
endpoint returns a Verifiable Presentation containing
the matching access requests/grants VCs:
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://w3id.org/security/data-integrity/v1",
"https://w3id.org/security/suites/ed25519-2020/v1"
],
"holder": "https://vc.<ESS Domain>",
"type": "VerifiablePresentation",
"verifiableCredential": [
{ // Matching access request/grant VC },
{ // Matching access request/grant VC },
...
]
}
Examples#
ESS Access Grant service performs a match on non-empty id, credentialSubject, issuer, and type field paths present in the filter VCs.
Note
In the following examples, the filters return user-associated access requests/grants (both active and revoked) that match the filter field paths. Because the payload does not specify the options: {“include”: “ExpiredVerifiableCredential” }, expired and future access requests/grants are excluded from the results.
Example 1#
The following filter queries for user-associated access grants where owliverowner
grants
Read
access to requestingrabbit
.
{
"verifiableCredential": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://schema.inrupt.com/credentials/v1.jsonld"
],
"type": [
"VerifiableCredential",
"SolidAccessGrant"
],
"credentialSubject": {
"providedConsent": {
"mode": [ "Read" ],
"hasStatus": "ConsentStatusExplicitlyGiven",
"isProvidedTo": "https://id.<ESS DOMAIN>/requestingrabbit"
},
"id": "https://id.<ESS DOMAIN>/owliverowner"
}
}
}
The filter’s verifiableCredential
field contains the following
non-empty fields for matching user-associated access grants:
type
that matches an array that includes both"VerifiableCredential"
and"SolidAccessGrant"
as elements, ANDcredentialSubject.providedConsent
.mode
that matches the value"Read"
[2], AND.hasStatus
that matches the value"ConsentStatusExplicitlyGiven"
, AND.isProvidedTo
that matches the value"https://id.<ESS DOMAIN>/requestingrabbit"
, AND
credentialSubject.id
that matches the value"https://id.<ESS DOMAIN>/owliverowner"
.
For owliverowner
or requestingrabbit
, the endpoint returns a
Verifiable Presentation
with the matching access grants.
For other users, the endpoint returns a Verifiable Presentation with no matching access grant.
Or the field matches an array that includes the specified value(s) as elements.
Example 2#
The following filter queries for user-associated access grants that gives Write
access
to the specified resource.
{
"verifiableCredential": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://schema.inrupt.com/credentials/v1.jsonld"
],
"type": [
"SolidAccessGrant"
],
"credentialSubject": {
"providedConsent": {
"mode": "http://www.w3.org/ns/auth/acl#Write",
"forPersonalData": [
"https://storage.<ESS Domain>/<Root Container>/getting-started/readingList/myList"
]
}
}
}
}
The filter’s verifiableCredential
field contains the following
non-empty fields for matching:
type
that matches"SolidAccessGrant"
value [3] as an element, ANDcredentialSubject.providedConsent
When the filter is posted to the /derive
endpoint by either the
resource owner of the reading list or by a user who has been granted
access to that reading list:
For the resource owner, the endpoint returns a Verifiable Presentation with all the matching access grants given by the resource owner for that resource (regardless of the recipients).
For a user who is a recipient, the endpoint returns a Verifiable Presentation with all the matching access grants given to the user for that resource.
For other users, the endpoint returns a Verifiable Presentation with no matching access grants.
Upon completion, the endpoint returns a Verifiable Presentation with the matching VCs.
Or the field matches an array that includes the specified value(s) as elements.
Empty Filter Paths#
ESS Access Grant service performs a match only on non-empty id, credentialSubject, issuer, type field paths. Otherwise, the service returns all access requests/grants associated with the user.
For example, when the following payloads are posted to the /derive
endpoint:
The filter’s
verifiableCredential
field is an empty document; i.e., the filter VC does not contain any of the fields used for matching:{ "verifiableCredential": { } }
This would match all access request VCs and access grant VCs associated with the user.
The filter’s
verifiableCredential
containstype
value of"VerifiableCredential"
and empty values for the query field “credentialSubject.hasConsent” and no other filtering fields. As such, the filter VC does not have any non-empty matching filter paths{ "verifiableCredential": { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://schema.inrupt.com/credentials/v1.jsonld" ], "type": [ "VerifiableCredential" ], "credentialSubject": { "hasConsent": { } } } }
This would match all access request VCs and access grant VCs associated with the user.
The filter’s
verifiableCredential
containstype
value of"VerifiableCredential"
and an empty values for the query fieldcredentialSubject.providedConsent
and no other filtering fields:{ "verifiableCredential": { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://schema.inrupt.com/credentials/v1.jsonld", "https://w3id.org/security/data-integrity/v1", "https://w3id.org/vc-revocation-list-2020/v1", "https://w3id.org/vc/status-list/2021/v1", "https://w3id.org/security/suites/ed25519-2020/v1" ], "credentialStatus": { "id": "https://vc./status/VfaR#98", "revocationListCredential": "https://vc.<ESS DOMAIN>/status/VfaR", "revocationListIndex": "98", "type": "RevocationList2020Status" }, "credentialSubject": { "providedConsent": { } }, "type": [ "VerifiableCredential" ] } }
Upon completion, the endpoint returns a Verifiable Presentation with the matching VCs; in this case, all access request VCs and access grant VCs associated with the user.
The VC API specification is in Draft status. Features based on draft specifications are subject to change.