Searching for consent granted by resource owner to requestor
Using the resource owner information from the Users identifier from the URL
attribute,
we need to determine what consent the owner has granted to a given requestor.
About this task
This task is useful for:
-
Resource sharing or delegation where consent is granted to an individual (based on the
collaborator
claim) -
Data sharing where consent is granted to a third party (based on the
audience
claim)
This task uses the Trust Framework HTTP service to pull a claim from a request.
Steps
-
Make sure you understand the body of the request that you are pulling a claim from.
The following Postman image shows a request being made to a directory server. The consent definition is in the request URL and has the form
share-meme-game-answers&subject=user.0&collaborator=user.1
. The resource owner is given by the subject, and the person being shared with is given by the collaborator.We use the Consent Admin account for the service. In Postman, for Authorization, we use Basic Auth with the username
Consent Admin
and its password.The consent record is for the PingDirectory Consent API, but you can use other consent stores. We use this consent record to determine who a resource owner has given consent to.
-
Copy the request URL to use in defining a Trust Framework service in the Policy Editor.
-
Sign on to the Policy Editor.
-
Create Trust Framework attributes for the Consent Admin account credentials.
This is the Consent Admin account we used with Postman. We will create attributes for the username and password and then use those attributes when we define the Trust Framework HTTP service.
-
Go to Trust Framework and click Attributes.
-
From the menu, select Add new Attribute.
-
For the name, replace Untitled with
ConsentService
and click Save changes.This attribute will serve as a parent to the username and password attributes and will help organize the attributes.
-
From the menu, select Add new Attribute.
Because the ConsentService attribute is selected, the new attribute is a child to it.
-
For the name, replace Untitled with
Username
, set Default value to Consent Admin, select the Secret option, and then click Save changes.The following image shows this configuration.
-
From the menu, select Add new Attribute.
-
For the name, replace Untitled with
Password
, set Default value to Consent Admin, select the Secret option, and then click Save changes. Selecting the Secret option keeps the item out of logs.
-
-
Create the HTTP service.
-
Click Services along the top.
-
From the menu, select Add new Service.
-
For the name, replace Untitled with
Search for consent to share game answers
. -
Set Service Type to HTTP.
-
Set URL to the request URL.
In this case, the URL is
https://pingdirectory:18443/consent/v1/consents?definition=share-meme-game-answers&subject=user.0&collaborator=user.1
. -
Set Authentication to Basic.
This setting requires a username and password. We will use the attributes we just created.
-
Set Username to ConsentService.Username.
-
Set Password to ConsentService.Password.
-
-
This setup uses a self-signed certificate, so set Server (TLS) to No Validation.
This case is for a development environment only. Do not use this setting for other environments. -
Under Value Settings, set Type to JSON.
The following image shows this configuration.
-
Click Save changes.
-
-
Test the service.
-
Click Test above the Search for consent to share game answers service name.
-
Click Execute.
The results should include a
consents
array.So the service works with hard-coded values:
subject=user.0&collaborator=user.1
. We need to use parameters in place of the subject and collaborator values so that the service works for anyone using the API.
-
-
Click Details above the service name to update the service definition to replace the values with parameters.
-
In the URL field, replace the collaborator value, which is
user.1
. Deleteuser.1
and type two open curly braces ({{
). Use the pop-up that appears to choose theHttpRequest.AccessToken.subject
attribute. Recall from Getting the requestor identifier from the access token that this attribute specifies the requestor. The resource owner must have a consent record for the requestor to grant access.With this change, the URL changes from
https://pingdirectory:18443/consent/v1/consents?definition=share-meme-game-answers&subject=user.0&collaborator=user.1
to
https://pingdirectory:18443/consent/v1/consents?definition=share-meme-game-answers&subject=user.0&collaborator={{HttpRequest.AccessToken.subject}}
-
Click Save changes.
-
Test the change by clicking Test, in the Request section, setting Attributes to
HttpRequest.AccessToken.subject
, specifying a value such as{"sub":"user.1"}
, whereuser.1
has a consent record in your consent store, and clicking Execute.The result should include a consents array. Repeat the step for a user who does not have a consent record to verify that those results do not include a consents array.
-
Click Details to replace the subject value with a parameter.
The subject is the resource owner. Recall from Getting a path component from the request URL that we have that information in the
Users identifier from the URL
attribute. Using curly braces to interpolate that attribute, the URL becomes:https://pingdirectory:18443/consent/v1/consents?definition=share-meme-game-answers&subject=\{\{Users identifier from the URL}}&collaborator=\{\{HttpRequest.AccessToken.subject}}
-
Click Save changes.
-
Test this change the same way you tested the previous change: using two users, where one has a consent record and one does not.
In the Overrides section, set Attributes to
Users identifier from the URL
with the value specifying the resource owner, which isuser.0
in this case.
-
-
Update the service to pull only the first consent record from the response instead of the entire response.
The response starts with
{"_embedded":{"consents":[{_links":"localization":
We want to pull the first consent record for the user, which starts after the square bracket (
[
).-
Click Details to return to the service definition.
-
Click the next to Value Processors and click Add Processor.
-
Set Processor to JSON Path with a value of
$._embedded.consents[0]
. -
Set Value type to JSON.
For an example, see the following image.
-
Click Save changes.
-
Test the change by clicking Test, in the Request section, setting Attributes to
HttpRequest.AccessToken.subject
, and specifying a value such as{"sub":"user.1"}
, whereuser.1
has a consent record in your consent store. Then in the Overrides section, set Attributes toUsers identifier from the URL
with the value specifyinguser.0
again, and click Execute.
-
Result
The service returns only the user’s first consent record. With the record isolated, you can pull the given requestor’s status from the record.