Example Setup
This example setup shows one of the many possible ways to enable consent-based access decisions with IDENTOS Consent Management tools.
In our example, we'll build off the Access Management Example Setup by using an IDENTOS Wallet to add a user to the authorization flow. This simple consent flow... Expand.
TODO: Create overview diagram.
By the end of this tutorial, you'll have used the Wallet to do the following:
- Enroll an Authorization Server in the Wallet (Step 1)
- Add Resource Definitions in the Wallet (Step 2)
- Enroll a Data Source in the Wallet (Step 3)
If you'd like to try this setup for yourself, please note the following assumptions:
- You have admin access to an IDENTOS Wallet that's already installed and running (this should already be setup for you).
Define placeholder variables
TBD
TODO: Create overview diagram.
Enroll the Authorization Server used in the Access Management Quickstart
Create the same Resource types/definitions/scopes created in the Authorization Server from the Access Management Quickstart
Enroll a data source (in this case, the Resource Server from Access Management Quickstart; mention that an IDP can also be a data source)
Prerequisites: Configure Client as UMA Client, add/emphasize Client Redirect URL
Enroll the client from the Access Management Quickstart example (blood glucose app)
🌟 Key Concept: A Ticket is what allows a Client to obtain an Access Token from the Authorization Server. Tickets contain all the information that defines what Resources a Client can access.
To create a Ticket in the Authorization Server, we'll need to...
- Define the Ticket Purpose in the Authorization Server.
- Create a Capability Ticket in the Authorization Server. This links the Ticket Purpose to the Client making the request.
- Define the Requested Resource in the Authorization Server. This links the Client to the types of Resources and scopes they can access.
- Create a Requested Resource Capability Ticket in the Authorization Server. This combines the Capability Ticket and Requested Resource into a single Ticket that represents the Client's overall permissions for accessing a Resource.
For our example, we want to create a Ticket that allows the hospital's web application to read blood-glucose-level Resources.
Define the Ticket Purpose in the Authorization Server.
Run the API call below to declare that the purpose of the ticket is "Blood Glucose App wants to read your blood glucose records." In certain authorization flows, this is the message that would be presented to an end user. Since this is the first purpose we're declaring, it will be id = 1 in the purpose database.
Create a Capability Ticket for the Client in the Authorization Server.
Run the API call below to create the Blood Glucose App Ticket with the unique ID of blood-glucose-app in the capability-ticket database. This will also associate the Capability Ticket with the Ticket Purpose and the OAuth client (id = 1) created in Step 3.
Define the Requested Resource in the Authorization Server.
Run the API call below to declare the blood-glucose-level Resource Definition from Step 2 with the Client, Ticket Purpose, and read scope. Since this is our first Requested Resource, it will be id = 1 in the requested-resource database.
Create a Requested Resource Capability Ticket in the Authorization Server.
Finally, run the API call below to create a single Ticket that combines the Capability Ticket and Requested Resource we created in the previous API calls. Since this is the first Ticket we're making, it will be id = 1 in the requested-resources-capability-tickets database.
✅ Step 4 complete! Now that we have a Ticket, the Client can use the Ticket to obtain an Access Token from the Authorization Server.
Note that the Client won't necessarily "have" or "present" this Ticket themselves. In reality, it's more of an internal record that the Authorization Server checks when a Client requests an Access Token.
🎉 Tutorial complete! Congratulations! You've just...
TBD
- Learn how to manage consent with the Wallet?
- Add an Identity Provider (as Data Source)