2018-02-28 07:53:43 +00:00
[[_service_uma_authorization_process]]
2022-04-18 14:10:57 +00:00
= Authorization process
2018-02-28 07:53:43 +00:00
In UMA, the authorization process starts when a client tries to access a UMA protected resource server.
A UMA protected resource server expects a bearer token in the request where the token is an RPT. When a client requests
2021-11-10 10:34:08 +00:00
a resource at the resource server without a RPT:
2018-02-28 07:53:43 +00:00
.Client requests a protected resource without sending an RPT
```bash
curl -X GET \
2019-01-25 11:56:15 +00:00
http://${host}:${port}/my-resource-server/resource/1bfdfe78-a4e1-4c2d-b142-fc92b75b986f
2018-02-28 07:53:43 +00:00
```
The resource server sends a response back to the client with a permission `ticket` and a `as_uri` parameter with the location
of a {project_name} server to where the ticket should be sent in order to obtain an RPT.
.Resource server responds with a permission ticket
2022-02-08 13:07:16 +00:00
[source,bash,subs="attributes+"]
----
2018-02-28 07:53:43 +00:00
HTTP/1.1 401 Unauthorized
WWW-Authenticate: UMA realm="${realm}",
2022-02-08 13:07:16 +00:00
as_uri="https://${host}:${port}{kc_realms_path}/${realm}",
2018-02-28 07:53:43 +00:00
ticket="016f84e8-f9b9-11e0-bd6f-0021cc6004de"
2022-02-08 13:07:16 +00:00
----
2018-02-28 07:53:43 +00:00
The permission ticket is a special type of token issued by {project_name} Permission API. They represent the permissions being requested (e.g.: resources and scopes)
as well any other information associated with the request. Only resource servers are allowed to create those tokens.
Now that the client has a permission ticket and also the location of a {project_name} server, the client can use the discovery document
to obtain the location of the token endpoint and send an authorization request.
.Client sends an authorization request to the token endpoint to obtain an RPT
2022-02-08 13:07:16 +00:00
[source,bash,subs="attributes+"]
----
2018-02-28 07:53:43 +00:00
curl -X POST \
2022-02-08 13:07:16 +00:00
http://${host}:${port}{kc_realms_path}/${realm}/protocol/openid-connect/token \
2018-02-28 07:53:43 +00:00
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
--data "ticket=${permission_ticket}
2022-02-08 13:07:16 +00:00
----
2018-02-28 07:53:43 +00:00
2019-05-22 05:09:57 +00:00
If {project_name} assessment process results in issuance of permissions, it issues the RPT with which it has associated
2018-02-28 07:53:43 +00:00
the permissions:
.{project_name} responds to the client with the RPT
```bash
HTTP/1.1 200 OK
Content-Type: application/json
...
{
"access_token": "${rpt}",
}
```
The response from the server is just like any other response from the token endpoint when using some other grant type. The RPT can be obtained from
the `access_token` response parameter. In case the client is not authorized to have permissions {project_name} responds with a `403` HTTP status code:
.{project_name} denies the authorization request
```bash
HTTP/1.1 403 Forbidden
Content-Type: application/json
...
{
"error": "access_denied",
"error_description": "request_denied"
}
2019-01-25 11:56:15 +00:00
```
