keycloak-scim/topics/service/authorization/whatis-obtain-aat.adoc

== What is a AAT and How to Obtain it ?

An *Authorization API Token* or *AAT* is a special OAuth2 Access Token with the scope *uma_authorization*. When you create a user, {{book.project.name}} automatically
assigns a role _uma_authorization_ to the user. The _uma_authorization_ role is a _default realm role_ as you can see from this page.

.Default Role uma_authorization
image:../../../images/service/rs-uma-authorization-role.png[alt="Default Role uma_authorization "]

An AAT enables a client application to query the server for user permissions.

Client applications can obtain an AAT from {{book.project.name}} just like any other OAuth2 Access Token. Usually, client applications obtain AATs after the user is successfully
authenticated in {{book.project.name}}. By default, the _authorization_code_ grant type is used to authenticate users, and the server will issue an OAuth2 Access Token to the client application acting on their behalf.

For demonstration purposes, the example below uses Resource Owner Password Credentials Grant Type to request an AAT.

```bash
curl -X POST \
    -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'username=${username}&password=${user_password}&grant_type=password' \
    "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
```

As a result, you will get the following response from the server:

```json
{
  "access_token": ${AAT},
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": ${refresh_token},
  "token_type": "bearer",
  "id_token": ${id_token},
  "not-before-policy": 0,
  "session_state": "3cad2afc-855b-47b7-8e4d-a21c66e312fb"
}
```