20 lines
1.3 KiB
Text
20 lines
1.3 KiB
Text
|
== Entitlements API
|
||
|
|
|
||
|
|
An entitlement in the context of an access control decision is a privilege for an user or a process to
|
||
|
|
perform or have rights to an action on a resource. The concept is pretty much similar to what we were calling a permission.
|
||
|
|
|
||
|
|
However, the Entitlements API allows you to obtain all the entitlements or permissions given an OAuth2 _access_token_. Different
|
||
|
|
than the Authorization API, which is strongly based on UMA, this API provides a more simple way to obtain the permissions for a given user
|
||
|
|
or entity in possession of a OAuth2 _access_token.
|
||
|
|
|
||
|
|
In this case, {{book.project.name}} will evaluate policies associated with any resource within a resource server and return the permissions that were granted during this process.
|
||
|
|
|
||
|
|
```bash
|
||
|
|
curl -X GET -H "Authorization: Bearer ${access_token}" "http://localhost:8080/auth/realms/photoz/authz/entitlement?resourceServerId=photoz-restful-api"
|
||
|
|
```
|
||
|
|
|
||
|
|
The resulting token from a "entitlements request" is the same when you are using the Authorization API. At end you will get a RPT with all the permissions
|
||
|
|
or entitlements for a given user.
|
||
|
|
|
||
|
|
When asking for entitlements, the corresponding _access_token_ must contain a *kc_entitlement* scope. In other words, the client asking for
|
||
|
|
entitlements on behalf of an user must be granted with this scope.
|