Access Requests and Grants
Inrupt’s Enterprise Solid Server (ESS) provides support for Access Request and Grants. With Access Requests and Grants:
An agent can request access to Resources hosted on a Pod. This Access Request includes the specific access mode (e.g., read, write, append) being requested, the Resources to access, the Purpose for which the data will be used, and other optional fields.
The owner of the requested Resources (i.e., individuals with Control access to the requested Resources) can review the Access Request and either approve the Access Request, resulting in an Access Grant, or deny the Access Request, resulting in an Access Denial.
If the requesting agent has an Access Grant, the requesting agent can exchange the Access Grant for an access token in order to access the Resources.
Important
An Access Request that specifies a Container also applies to the Container’s descendants unless explicitly specified otherwise in the Request with an
inherit: false.An Access Grant that specifies a Container also applies to the Container’s descendants unless explicitly specified otherwise in the approved Access Grant with an
inherit: false.
To set the inherit field in Access Requests/Access Grants, @inrupt/solid-client-access-grants-js adds an inherit: <boolean> option to issueAccessRequest and approveAccessRequest.
Inrupt Client Library
To support ESS’ Access Request and Grants feature, Inrupt provides the @inrupt/solid-client-access-grants library. This library contains APIs to manage Access Requests and Grants issued by ESS.
npm install @inrupt/solid-client-access-grantsUsage Scenario
In the following usage scenario, a user wants to print some photos that are stored in their Pod. The user visits the ExamplePrinter’s web application, which provides photo printing services. When the ExamplePrinter’s web application asks for the photos to print, the user enters the URLs of the photos. To continue, the ExamplePrinter’s website asks for access to read the photos.
For example, assume the user snoringsue with the WebID (https://id.example.com/snoringsue) is on ExamplePrinter’s web application to print the following photos:
"https://storage.example.com/someContainer/myphotos/apples.jpg""https://storage.example.com/someContainer/myphotos/persimmons.jpg""https://storage.example.com/someContainer/myphotos/grapes.jpg".
The following diagram gives an overview of the flow (in the example, the Access Request and Grants are serialized as VCs)
Sequence diagram of the Access Request flow where snoringsue is requested access to her photos by ExamplePrinter and approves the Request.
Next Steps
To make Access Requests. If access is granted, use the Access Grants to access the resource (such as the ExamplePrinter application in above diagram).
To approve or deny Access Requests (such as the Access Management application in above diagram).
To query for Access Credentials based on a set of filters.
To get values out of Access Requests and Access Grants (such as how the ExamplePrinter application in the above diagram determines which resources it has access to).
Last updated