The Resource Management API enhances the functionality of the /userinfo endpoint and additional APIs in order to allow users to retrieve information about resources they have access to, whether their own or those where they have been assigned as delegates at the Resource Server layer. The resources provided by this API feature may be shared in an FPX flow in a similar manner to all other resources owned by the user themselves.
Usage and Applicability
The primary objective of the Resource Management API is to provide the Wallet Server (or any other consumer of this API) the ability to retrieve a specific list of resources that are available for a particular user at the Resource Server. A Resource Server may support multiple resources for FPX to consume. However, only a subset of those may apply to a particular user. The Resource Management API provides the ability to see this specific allocation.
A common use case where this API is often utilized is to manage delegated resources at the Resource Server level. With this API, users of the Resource Server Adapter can delegate access to resources owned by them to other users. The users that are receiving this delegation can see it presented separately from their own resources.
Depending on the business requirements, the Resource Management API can also be leveraged to perform additional activities beyond the confines of Resource Server delegation.
Wallet as a Consumer of the Resource Management API
The Wallet Server is able to use the Resource Management API feature provided by the Resource Server Adapter, allowing users to use authorizations to other users' resources in place of their own resources during a consent flow.
On the Wallet Server side, there is no configuration required apart from the standard configuration to onboard a resource server. The Wallet Server will automatically look for fields in the userinfo response created by resource delegation at any RS, and attempt to access the /resources endpoint at the RS without disrupting the consent flow if it does not exist. For more information about the standard configuration to add a resource server, please see the Wallet Server user guide section about adding resource servers.
Related users must log into the RSA at least once on their own to allow the Resource Management API to fetch their details.
Related users must have a valid access token, or an expired access token with a non-expired refresh token in order to fetch their information. A new access token can only be acquired by having the related user log into the RSA on their own again.
For example, if User A has been delegated access by User B, and the access and refresh token expiry is 1 hour, User A will not be able to fetch User B's information upon log in if it has been 2 hours since User B's last log in. User B will have to log in again for the access and refresh tokens to be valid.
If the userinfo fetch at the fpxsp returns a 500 error with “Something went wrong, please contact the system administrator”, disconnect the datasource and re-connect log in with User A, then also connect and log in with User B on any account (there is no need to delete the OAuth tokens from the database).