keycloak-scim/authorization_services/topics/service-authorization-discovery-document.adoc

53 lines
2.3 KiB
Text
Raw Normal View History

[[_service_authorization_api]]
2018-03-19 20:45:49 +00:00
= Discovering Authorization Services Endpoints and Metadata
{project_name} provides a discovery document from which clients can obtain all necessary information to interact with
{project_name} Authorization Services, including endpoint locations and capabilities.
The discovery document can be obtained from:
```bash
curl -X GET \
http://${host}:${port}/auth/realms/${realm}/.well-known/uma2-configuration
```
Where `${host}:${port}` is the hostname (or IP address) and port where {project_name} is running and `${realm}` is the name of
a realm in {project_name}.
As a result, you should get a response as follows:
```bash
{
// some claims are expected here
// these are the main claims in the discovery document about Authorization Services endpoints location
"token_endpoint": "http://${host}:${post}/auth/realms/${realm}/protocol/openid-connect/token",
"token_introspection_endpoint": "http://${host}:${post}/auth/realms/${realm}/protocol/openid-connect/token/introspect",
"resource_registration_endpoint": "http://${host}:${post}/auth/realms/${realm}/authz/protection/resource_set",
"permission_endpoint": "http://${host}:${post}/auth/realms/${realm}/authz/protection/permission"
}
```
Each of these endpoints expose a specific set of capabilities:
* **token_endpoint**
+
A OAuth2-compliant Token Endpoint that supports the `urn:ietf:params:oauth:grant-type:uma-ticket` grant type. Through this
endpoint clients can send authorization requests and obtain an RPT with all permissions granted by {project_name}.
+
* **token_introspection_endpoint**
+
A OAuth2-compliant Token Introspection Endpoint which clients can use to query the server to determine the active state of an RPT
and to determine any other information associated with the token, such as the permissions granted by {project_name}.
+
* **resource_registration_endpoint**
+
A UMA-compliant Resource Registration Endpoint which resource servers can use to manage their protected resources and scopes. This endpoint provides
operations create, read, update and delete resources and scopes in {project_name}.
+
* **permission_endpoint**
+
A UMA-compliant Permission Endpoint which resource servers can use to manage permission tickets. This endpoint provides
operations create, read, update, and delete permission tickets in {project_name}.