keycloak-scim/topics/service/authorization/authorization-api-aapi.adoc

== Requesting Authorization Data and Token

Client applications using the UMA protocol can use a specific endpoint to obtain a special security token called *Requesting Party Token* or *RPT*.
This token consists of all the permissions granted to an user as a result of the evaluation of the permissions and authorization policies associated with the resource(s) being requested.
With an RPT in hand, client applications can gain access to protected resources at the resource server.

```bash
http://${host}:${port}/auth/realms/${realm_name}/authz/authorize
```

When asking for a RPT, you need to provide two things:

* A link:../protection/permission-api-papi.adoc[Permission Ticket] with the resources you want to access
* The link:./whatis-obtain-aat.adoc[AAT] (as a bearer token) representing user's identity and his consent to access authorization data on his behalf.

```bash
curl -X POST
    -H "Authorization: Bearer ${AAT}" -d '{
    "ticket" : ${PERMISSION_TICKET}
}' "http://localhost:8080/auth/realms/hello-world-authz/authz/authorize"
```

As a result, you will get the following response from the server:

```json
{"rpt":"${RPT}"}
```

=== Requesting Party Token or RPT

A RPT is a https://tools.ietf.org/html/rfc7519[JSON Web Token (JWT)] digitally signed using https://www.rfc-editor.org/rfc/rfc7515.txt[JSON Web Signature (JWS)].
The token is built based on the AAT sent by the client during the authorization process.

When you decode a RPT you will see something like that:

```json
{
  "authorization": {
      "permissions": [
        {
          "resource_set_id": "d2fe9843-6462-4bfc-baba-b5787bb6e0e7",
          "resource_set_name": "Hello World Resource"
        }
      ]
  },
  "jti": "d6109a09-78fd-4998-bf89-95730dfd0892-1464906679405",
  "exp": 1464906971,
  "nbf": 0,
  "iat": 1464906671,
  "sub": "f1888f4d-5172-4359-be0c-af338505d86c",
  "typ": "kc_ett",
  "azp": "hello-world-authz-service"
}
```

From this token you can obtain all permissions granted by the server from the *permissions* claim.
More doc 2016-06-05 22:17:31 +00:00			`== Requesting Authorization Data and Token`

			`Client applications using the UMA protocol can use a specific endpoint to obtain a special security token called Requesting Party Token or RPT.`
			`This token consists of all the permissions granted to an user as a result of the evaluation of the permissions and authorization policies associated with the resource(s) being requested.`
[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`With an RPT in hand, client applications can gain access to protected resources at the resource server.`
More doc 2016-06-05 22:17:31 +00:00
			```bash
			`http://${host}:${port}/auth/realms/${realm_name}/authz/authorize`
			```

[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`When asking for a RPT, you need to provide two things:`
More doc 2016-06-05 22:17:31 +00:00
Fixes based on Stian feedback. 2016-07-26 21:34:49 +00:00			`* A link:../protection/permission-api-papi.adoc[Permission Ticket] with the resources you want to access`
			`* The link:./whatis-obtain-aat.adoc[AAT] (as a bearer token) representing user's identity and his consent to access authorization data on his behalf.`
More doc 2016-06-05 22:17:31 +00:00
			```bash
			`curl -X POST`
			`-H "Authorization: Bearer ${AAT}" -d '{`
			`"ticket" : ${PERMISSION_TICKET}`
			`}' "http://localhost:8080/auth/realms/hello-world-authz/authz/authorize"`
			```

More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00			`As a result, you will get the following response from the server:`
More doc 2016-06-05 22:17:31 +00:00
			```json
			`{"rpt":"${RPT}"}`
			```

			`=== Requesting Party Token or RPT`

[KEYCLOAK-3546] - A lot of fixes and improvements to docs from srehorn. 2016-09-09 03:53:39 +00:00			`A RPT is a https://tools.ietf.org/html/rfc7519[JSON Web Token (JWT)] digitally signed using https://www.rfc-editor.org/rfc/rfc7515.txt[JSON Web Signature (JWS)].`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00			`The token is built based on the AAT sent by the client during the authorization process.`
More doc 2016-06-05 22:17:31 +00:00
			`When you decode a RPT you will see something like that:`

			```json
			`{`
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00			`"authorization": {`
			`"permissions": [`
			`{`
			`"resource_set_id": "d2fe9843-6462-4bfc-baba-b5787bb6e0e7",`
			`"resource_set_name": "Hello World Resource"`
			`}`
			`]`
			`},`
More doc 2016-06-05 22:17:31 +00:00			`"jti": "d6109a09-78fd-4998-bf89-95730dfd0892-1464906679405",`
			`"exp": 1464906971,`
			`"nbf": 0,`
			`"iat": 1464906671,`
			`"sub": "f1888f4d-5172-4359-be0c-af338505d86c",`
			`"typ": "kc_ett",`
			`"azp": "hello-world-authz-service"`
			`}`
			```

More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00			`From this token you can obtain all permissions granted by the server from the permissions claim.`
More doc 2016-06-05 22:17:31 +00:00