Decryption Workflow as a User?

[0xArch3r]

I am trying to use the SDK to authenticate to openTDF as a user. When trying to decrypt a TDF Object with an atrtibute applied, I notice the logs show a PERMIT message for jwtentity-1 which is my user who has the attribute, but a DENY for jwtentity-0 which is the opentdf-sdk client I am using. Is this expected? Should both those entities be in the request? How do I add the attributes to the sdk so that it can do what I need it to do if this is the expected behavior?

[jrschumacher]

Are you using the token exchange option within the SDK?

platform/sdk/options.go

Lines 120 to 129 in 93d8f70

	// WithTokenExchange specifies that the SDK should obtain its
	// access token by exchanging the given token for a new one
	func WithTokenExchange(subjectToken string, audience []string) Option {
	return func(c *config) {
	c.tokenExchange = &oauth.TokenExchangeInfo{
	SubjectToken: subjectToken,
	Audience: audience,
	}
	}
	}

[0xArch3r]

I did it with cert exchange and with token exchange.

We found through testing that the attribute does need to be set through a subject mapping where the client id is the id of the client and that would work. So it appears both the PE and NPE I need to have the attribute

[ttschampel]

This is expected behavior until #871 is decided and implemented to describe scoping and mechanisms to best disambiguate Entity Types

[jrschumacher]

@0xArch3r we've decided to use #1181 instead