-
Notifications
You must be signed in to change notification settings - Fork 7
Delegated access
Delegated access is a mechanism of permissions delegation in DataPeps
Identities can act on behalf of each other with the use of the delegated access mechanism. Delegating access to an identity means authorizing access to the resources created by and shared with the identity.
Granting delegated access is a three-step process:
- Identity A requests the delegated access to Identity B.
- Identity B grants the access to Identity A.
- Identity A establishes a new delegated session that allows to access the resources of Identity B.
To request delegated access an identity needs to authenticate and identity itself. For that the identity adds a signature to the delegated access request.
Here's how Alice requests delegated access to a Bob's identity:
let signFunction = info => {
let toSign = new Uint8Array(info.login.byteLength + info.publicKey.byteLength);
toSign.set(info.login, 0);
toSign.set(info.publicKey, info.login.byteLength);
let signature = aliceSession.sign(toSign);
return Promise.resolve({ requester: alice.login, signature });
};
let aliceAccessRequest = await DataPeps.DelegatedAccess.request(bobLogin, signFunction)
The returned object is used for the delegated session establishment.
After receiving a request for the delegated access, identities can grant it like this:
let resolver = await new DataPeps.DelegatedAccessAPI(bobSession).resolveAccessRequest(aliceAccessRequest.id);
await resolver.resolve(bobLogin);
An identity can also grant an access to an identity from its access group:
let resolver = await new DataPeps.DelegatedAccessAPI(bobSession).resolveAccessRequest(aliceAccessRequest.id);
await resolver.resolve(bobSecondIdentity.login)
After Bob has resolved the delegated access request, Alice can create a delegated session:
let aliceDelegatedSession = await aliceAccessRequest.waitSession();
As Bob can delegate access to an identity from the access group, Alice should verify the login of the delegated session:
let delegatedLogin = aliceDelegatedSession.login
Delegating access — requesting and resolving delegated access to an identity.