keycloak-scim/authorization_services/topics/service-authorization-uma-submiting-permission-requests.adoc

[[_service_authorization_aat]]
= Submitting permission requests

As part of the authorization process, clients need first to obtain a permission ticket from a UMA protected resource server in order
to exchange it with an RPT at the {project_name} Token Endpoint.

By default, {project_name} responds with a `403` HTTP status code and a `request_denied` error in case the client can not be issued with an RPT.

.{project_name} denies the authorization request
```bash
HTTP/1.1 403 Forbidden
Content-Type: application/json
...
{
    "error": "access_denied",
    "error_description": "request_denied"
}
```

Such response implies that {project_name} could not issue an RPT with the permissions represented by a permission ticket.

In some situations, client applications may want to start an asynchronous authorization flow and let the owner of the resources
being requested decide whether or not access should be granted. For that, clients can use the `submit_request` request parameter along
with an authorization request to the token endpoint:

[source,bash,subs="attributes+"]
----
curl -X POST \
  http://${host}:${port}{kc_realms_path}/${realm}/protocol/openid-connect/token \
  -H "Authorization: Bearer ${access_token}" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "ticket=${permission_ticket} \
  --data "submit_request=true"
----

When using the `submit_request` parameter, {project_name} will persist a permission request for each resource to which access was denied.
Once created, resource owners can check their account and manage their permissions requests.

You can think about this functionality as a `Request Access` button in your application, where users can ask other users for access to their resources.
[KEYCLOAK-3169] - UMA 2.0 related changes (#325) * [KEYCLOAK-3169] - Updating authz services doc * [KEYCLOAK-3169] - Section about changes to user account service * [KEYCLOAK-3169] - Removing UMA 1.0 references * [KEYCLOAK-3169] - RH-SSO images * [KEYCLOAK-3169] - Updating Keycloak images * [KEYCLOAK-3169] - Review * [KEYCLOAK-3169] - Review 2018-02-28 07:53:43 +00:00			`[[_service_authorization_aat]]`
KEYCLOAK-16923-FIX Revising Authorization Services Guide for Red Hat Standards (#1358) 2022-04-18 14:10:57 +00:00			`= Submitting permission requests`
[KEYCLOAK-3169] - UMA 2.0 related changes (#325) * [KEYCLOAK-3169] - Updating authz services doc * [KEYCLOAK-3169] - Section about changes to user account service * [KEYCLOAK-3169] - Removing UMA 1.0 references * [KEYCLOAK-3169] - RH-SSO images * [KEYCLOAK-3169] - Updating Keycloak images * [KEYCLOAK-3169] - Review * [KEYCLOAK-3169] - Review 2018-02-28 07:53:43 +00:00
			`As part of the authorization process, clients need first to obtain a permission ticket from a UMA protected resource server in order`
			`to exchange it with an RPT at the {project_name} Token Endpoint.`

			By default, {project_name} responds with a `403` HTTP status code and a `request_denied` error in case the client can not be issued with an RPT.

			`.{project_name} denies the authorization request`
			```bash
			`HTTP/1.1 403 Forbidden`
			`Content-Type: application/json`
			`...`
			`{`
			`"error": "access_denied",`
			`"error_description": "request_denied"`
			`}`
			```

			`Such response implies that {project_name} could not issue an RPT with the permissions represented by a permission ticket.`

			`In some situations, client applications may want to start an asynchronous authorization flow and let the owner of the resources`
			being requested decide whether or not access should be granted. For that, clients can use the `submit_request` request parameter along
			`with an authorization request to the token endpoint:`

Update documentation for Quarkus distribution (#1385) 2022-02-08 13:07:16 +00:00			`[source,bash,subs="attributes+"]`
			`----`
[KEYCLOAK-3169] - UMA 2.0 related changes (#325) * [KEYCLOAK-3169] - Updating authz services doc * [KEYCLOAK-3169] - Section about changes to user account service * [KEYCLOAK-3169] - Removing UMA 1.0 references * [KEYCLOAK-3169] - RH-SSO images * [KEYCLOAK-3169] - Updating Keycloak images * [KEYCLOAK-3169] - Review * [KEYCLOAK-3169] - Review 2018-02-28 07:53:43 +00:00			`curl -X POST \`
Update documentation for Quarkus distribution (#1385) 2022-02-08 13:07:16 +00:00			`http://${host}:${port}{kc_realms_path}/${realm}/protocol/openid-connect/token \`
[KEYCLOAK-3169] - UMA 2.0 related changes (#325) * [KEYCLOAK-3169] - Updating authz services doc * [KEYCLOAK-3169] - Section about changes to user account service * [KEYCLOAK-3169] - Removing UMA 1.0 references * [KEYCLOAK-3169] - RH-SSO images * [KEYCLOAK-3169] - Updating Keycloak images * [KEYCLOAK-3169] - Review * [KEYCLOAK-3169] - Review 2018-02-28 07:53:43 +00:00			`-H "Authorization: Bearer ${access_token}" \`
			`--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \`
			`--data "ticket=${permission_ticket} \`
			`--data "submit_request=true"`
Update documentation for Quarkus distribution (#1385) 2022-02-08 13:07:16 +00:00			`----`
[KEYCLOAK-3169] - UMA 2.0 related changes (#325) * [KEYCLOAK-3169] - Updating authz services doc * [KEYCLOAK-3169] - Section about changes to user account service * [KEYCLOAK-3169] - Removing UMA 1.0 references * [KEYCLOAK-3169] - RH-SSO images * [KEYCLOAK-3169] - Updating Keycloak images * [KEYCLOAK-3169] - Review * [KEYCLOAK-3169] - Review 2018-02-28 07:53:43 +00:00
			When using the `submit_request` parameter, {project_name} will persist a permission request for each resource to which access was denied.
			`Once created, resource owners can check their account and manage their permissions requests.`

			You can think about this functionality as a `Request Access` button in your application, where users can ask other users for access to their resources.