Using the resource owner information from the Users identifier from the
URL
attribute, we need to determine what consent the owner has granted to a
given requestor.
- Resource sharing or delegation where consent is granted to an individual
(based on the
collaborator
claim) - Data sharing where consent is granted to a third party (based on the
audience
claim)
-
Make sure you understand the body of the request that you are pulling a claim
from.
The following Postman image shows a request being made to a directory server. The consent definition is in the request URL and has the form share-meme-game-answers&subject=user.0&collaborator=user.1. The resource owner is given by the subject, and the person being shared with is given by the collaborator.
We use the Consent Admin account for the service. In Postman, for Authorization, we use Basic Auth with the username Consent Admin and its password.
The consent record is for the PingDirectory Consent API, but you can use other consent stores. We use this consent record to determine who a resource owner has given consent to.
- Copy the request URL to use in defining a Trust Framework service in the Policy Editor.
- Sign on to the Policy Editor.
-
Create Trust Framework attributes for the Consent Admin account
credentials.
This is the Consent Admin account we used with Postman. We will create attributes for the username and password and then use those attributes when we define the Trust Framework HTTP service.
- Go to Trust Framework and click Attributes.
- From the + menu, select Add new Attribute.
-
For the name, replace Untitled with
ConsentService and click Save
changes.
This attribute will serve as a parent to the username and password attributes and will help organize the attributes.
-
From the + menu, select Add new
Attribute.
Because the ConsentService attribute is selected, the new attribute is a child to it.
-
For the name, replace Untitled with
Username, set Default
value to Consent Admin, select
the Secret option, and then click Save
changes.
The following image shows this configuration.
- From the + menu, select Add new Attribute.
- For the name, replace Untitled with Password, set Default value to Consent Admin, select the Secret option, and then click Save changes. Selecting the Secret option keeps the item out of logs.
-
Create the HTTP service.
- Click Services along the top.
- From the + menu, select Add new Service.
- For the name, replace Untitled with Search for consent to share game answers.
- Set Service Type to HTTP.
-
Set URL to the request URL.
In this case, the URL is https://pingdirectory:18443/consent/v1/consents?definition=share-meme-game-answers&subject=user.0&collaborator=user.1.
-
Set Authentication to
Basic.
This setting requires a username and password. We will use the attributes we just created.
- Set Username to ConsentService.Username.
- Set Password to ConsentService.Password.
-
This setup uses a self-signed certificate, so set Server
(TLS) to No Validation.
CAUTION: This case is for a development environment only. Do not use this setting for other environments.
-
Under Value Settings, set
Type to JSON.
The following image shows this configuration.
- Click Save changes.
-
Test the service.
- Click Test above the Search for consent to share game answers service name.
-
Click Execute.
The results should include a
consents
array.So the service works with hard-coded values: subject=user.0&collaborator=user.1. We need to use parameters in place of the subject and collaborator values so that the service works for anyone using the API.
-
Click Details above the service name to update the
service definition to replace the values with parameters.
-
In the URL field, replace the collaborator
value, which is user.1. Delete user.1 and type two open curly braces
(
{{
). Use the pop-up that appears to choose theHttpRequest.AccessToken.subject
attribute. Recall from Getting the requestor identifier from the access token that this attribute specifies the requestor. The resource owner must have a consent record for the requestor to grant access.With this change, the URL changes from
https://pingdirectory:18443/consent/v1/consents?definition=share-meme-game-answers&subject=user.0&collaborator=user.1
to
https://pingdirectory:18443/consent/v1/consents?definition=share-meme-game-answers&subject=user.0&collaborator={{HttpRequest.AccessToken.subject}}
- Click Save changes.
-
Test the change by clicking Test, in the
Request section, setting
Attributes to
HttpRequest.AccessToken.subject
, specifying a value such as{"sub":"user.1"}
, where user.1 has a consent record in your consent store, and clicking Execute.The result should include a consents array. Repeat the step for a user who does not have a consent record to verify that those results do not include a consents array. -
Click Details to replace the subject value with
a parameter.
The subject is the resource owner. Recall from Getting a path component from the request URL that we have that information in the
Users identifier from the URL
attribute. Using curly braces to interpolate that attribute, the URL becomes:https://pingdirectory:18443/consent/v1/consents?definition=share-meme-game-answers&subject={{Users identifier from the URL}}&collaborator={{HttpRequest.AccessToken.subject}}
- Click Save changes.
-
Test this change the same way you tested the previous change: using two
users, where one has a consent record and one does not.
In the Overrides section, set Attributes to
Users identifier from the URL
with the value specifying the resource owner, which is user.0 in this case.
-
In the URL field, replace the collaborator
value, which is user.1. Delete user.1 and type two open curly braces
(
-
Update the service to pull only the first consent record from the response
instead of the entire response.
The response starts with
{"_embedded":{"consents":[{_links":"localization":
We want to pull the first consent record for the user, which starts after the square bracket (
[
).- Click Details to return to the service definition.
- Click the + next to Value Processors and click + Add Processor.
- Set Processor to JSON Path with a value of $._embedded.consents[0].
-
Set Value type to
JSON.
For an example, see the following image.
- Click Save changes.
-
Test the change by clicking Test, in the
Request section, setting
Attributes to
HttpRequest.AccessToken.subject
, and specifying a value such as{"sub":"user.1"}
, where user.1 has a consent record in your consent store. Then in the Overrides section, set Attributes toUsers identifier from the URL
with the value specifying user.0 again, and click Execute.