keycloak-scim/topics/service/authorization/authorization-api-aapi.adoc

59 lines
2.1 KiB
Text
Raw Normal View History

2016-11-29 15:30:53 +00:00
[[_service_authorization_api_aapi]]
2016-06-05 22:17:31 +00:00
== Requesting Authorization Data and Token
Client applications using the UMA protocol can use a specific endpoint to obtain a special security token called a requesting party token (RPT).
This token consists of all the permissions granted to a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested.
With an RPT, client applications can gain access to protected resources at the resource server.
2016-06-05 22:17:31 +00:00
```bash
http://${host}:${port}/auth/realms/${realm_name}/authz/authorize
```
When requesting an RPT, you need to provide two things:
2016-06-05 22:17:31 +00:00
2016-11-29 15:30:53 +00:00
* A <<fake/../../protection/permission-api-papi.adoc#_service_protection_permission_api_papi, permission ticket>> with the resources you want to access
* The <<fake/../whatis-obtain-aat.adoc#_service_authorization_aat, authorization API token (AAT)>> (as a bearer token) representing a user's identity and his consent to access authorization data on his behalf.
2016-06-05 22:17:31 +00:00
```bash
curl -X POST
-H "Authorization: Bearer ${AAT}" -d '{
"ticket" : ${PERMISSION_TICKET}
}' "http://localhost:8080/auth/realms/hello-world-authz/authz/authorize"
```
As a result, the server response is:
2016-06-05 22:17:31 +00:00
```json
{"rpt":"${RPT}"}
```
=== Requesting Party Token
2016-06-05 22:17:31 +00:00
A Requesting Party Token (RPT) is a https://tools.ietf.org/html/rfc7519[JSON web token (JWT)] digitally signed using https://www.rfc-editor.org/rfc/rfc7515.txt[JSON Web Signature (JWS)].
The token is built based on the AAT sent by the client during the authorization process.
2016-06-05 22:17:31 +00:00
When you decode an RPT you will see something like:
2016-06-05 22:17:31 +00:00
```json
{
"authorization": {
"permissions": [
{
"resource_set_id": "d2fe9843-6462-4bfc-baba-b5787bb6e0e7",
"resource_set_name": "Hello World Resource"
}
]
},
2016-06-05 22:17:31 +00:00
"jti": "d6109a09-78fd-4998-bf89-95730dfd0892-1464906679405",
"exp": 1464906971,
"nbf": 0,
"iat": 1464906671,
"sub": "f1888f4d-5172-4359-be0c-af338505d86c",
"typ": "kc_ett",
"azp": "hello-world-authz-service"
}
```
From this token you can obtain all permissions granted by the server from the *permissions* claim.
2016-06-05 22:17:31 +00:00