deploy: 22289b3

primer/app-authorization-flow.bs

@@ -0,0 +1,93 @@
+<figure>
+    <table class="data tree" align="left">
+      <col>
+      <col>
+      <thead>
+        <tr>
+          <th>Step</th>
+          <th>Description</th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr>
+          <td><b>1</b></td>
+          <td>Alice finds an Application called Projectron that she'd like
+            to use to manage her Projects and Tasks.</td>
+        </tr>
+        <tr>
+          <td><b>2</b></td>
+          <td>Alice authenticates to Projectron with her WebID.</td>
+        </tr>
+        <tr>
+          <td><b>3</b></td>
+          <td>Projectron dereferences her WebID and retrieves Authorization Agent from her WebID Profile Document.</td>
+        </tr>
+        <tr>
+          <td><b>4</b></td>
+          <td>Projectron asks Alice's Authorization Agent whether Alice already has an Application Registration for Projectron.</td>
+        </tr>
+        <tr>
+          <td><b>5</b></td>
+          <td>Alice's Authorization Agent checks the Agent Registry in Alice's Pod for a Projectron Application Registration.</td>
+        </tr>
+        <tr>
+          <td><b>6</b></td>
+          <td>No Application Registration for Projectron is found.
+          Projectron now knows that Alice hasn't given it permission to access her data, so it must ask.</td>
+        </tr>
+        <tr>
+          <td><b>7</b></td>
+          <td>Projectron redirects Alice to her Authorization Agent, supplying its identifier for context.</td>
+        </tr>
+        <tr>
+          <td><b>8</b></td>
+          <td>Alice's Authorization Agent dereferences the supplied Projectron identifier, retrieving Projectron's
+          Application profile graph and corresponding Access Need Groups from the WebID Profile Document,
+          as well as <code>hasAuthorizationCallbackEndpoint</code>.</td>
+        </tr>
+        <tr>
+          <td><b>9</b></td>
+          <td>Alice's Authorization Agent presents the Access Need Groups from Projectron's Application
+          profile graph, so that Alice understands what kind of data is being requested, and why.</td>
+        </tr>
+        <tr>
+          <td><b>10</b></td>
+          <td>Alice's chooses the scope of access that Projectron will receive, to the data to 
+          which it has asked for access via the presented Access Needs.</td>
+        </tr>
+        <tr>
+          <td><b>11-13</b></td>
+          <td>Alice's Authorization Agent records her decision as an Access Authorization in Alice's
+            Authorization Registry. An Application Registration is created for Projectron in
+            Alice's Agent Registry. An Access Grant and corresponding Data Grants are generated
+            from the Access Authorization and stored in the Projectron Application Registration.
+        </tr>
+        <tr>
+          <td><b>14</b></td>
+          <td>Alice's Authorization Agent redirects her back to Projectron, now that the appropriate access has been granted.</td>
+        </tr>
+        <tr>
+          <td><b>15</b></td>
+          <td>Projectron again asks Alice's Authorization Agent for a Projectron Application Registration.</td>
+        </tr>
+        <tr>
+          <td><b>16</b></td>
+          <td>Alice's Authorization Agent finds the newly created Projectron Application Registration in the Agent Registry in Alice's Pod.</td>
+        </tr>
+        <tr>
+          <td><b>17</b></td>
+          <td>Alice's Authorization Agent provides the URI of the Application Registration to Projectron.</td>
+        </tr>
+        <tr>
+          <td><b>18</b></td>
+          <td>Projectron learns what access it received through the Access Grant in Alice's Projectron Application Registration.</td>
+        </tr>
+        <tr>
+          <td><b>19</b></td>
+          <td>Projectron may now function as intended, within the scope of authorization it was given by Alice.</td>
+        </tr>
+      </tbody>
+    </table>
+</figure>
+
+<img class="sequence-diagram" src="diagrams/application-requests-access-flow.seq.mmd.svg">

primer/application.bs

@@ -106,16 +106,24 @@ Details in <a href="https://solid.github.io/data-interoperability-panel/specific
 
 ## User Consent ## {#user-consent}
 
-In case where application haven't been registered yet it needs to initiate flow with Authorization Agent.
+In cases where an application hasn't been registered yet, it needs to initiate the flow with the Authorization Agent.
 
-Issue: Add details as soon as defined for Authorization Agent
+After successful flow, the application will be able to discover its registration.
 
-After successful flow aplication will be able to discover its registration.
+<pre class=include>path: app-authorization-flow.bs</pre>
+
+## Resource Indication ## {#resource-indication}
+
+When the application has already been registered, and the user wants to
+initiate a sharing-specific [[#data-instance]], an authorization flow with resource
+indication is available.
+
+<pre class=include>path: resource-indication-flow.bs</pre>
 
 # Application Registration # {#application-registration}
 
 Application Registration can be considered an entry point to all the data
-that user authorized it to access. Next step in discovery of that data
+that the user authorized it to access. The next step in the discovery of that data
 is the Access Grant linked via <code>interop:hasAccessGrant</code> predicate.
 
 <figure>
@@ -149,7 +157,7 @@ via <code>interop:hasDataGrant</code> predicate.
 
 # Data Registration # {#data-registration}
 
-<img class="flowchart-diagram" src="diagrams/pro.alice.example.flow.mmd.png" />
+<img class="flowchart-diagram" src="diagrams/pro.alice.example.flow.mmd.png">
 
 <figure>
   <pre class=include-code>