This example demonstrates the resource-managed flow where resources challenge agents to obtain auth tokens from the Person Server before granting access.
When to Use
Resource-managed mode is suitable when:
Resources need to verify human authorization for the agent
Fine-grained scope-based access control is required
Resources want the Person Server to enforce authorization policies
How It Works
Initial request: Agent sends a signed request without an auth token
Challenge: Resource returns 401 Unauthorized with WWW-Authenticate: AAuth challenge containing a resource token
Token exchange: Agent exchanges the resource token at the Person Server for an auth token
Authorized request: Agent retries with both signature and auth token
Access granted: Resource verifies signature and auth token, then grants access
Key Components
ResourceServer: Issues resource tokens in challenges, verifies auth tokens
AuthServer (Person Server): Exchanges resource tokens for auth tokens
Resource Token (aa-resource+jwt): Contains agent JKT, scope, and resource URL
Package main demonstrates the AAuth resource-managed flow.
In the resource-managed flow:
1. Agent presents identity to resource
2. Resource returns WWW-Authenticate challenge with resource token
3. Agent exchanges resource token at Person Server for auth token
4. Agent presents both identity and auth token to resource
This flow is used when resources need to verify that the Person Server
has authorized the agent for specific scopes.