2016-11-29 15:30:53 +00:00
[[_enforcer_bearer]]
2017-10-09 06:38:46 +00:00
= Protecting a Stateless Service Using a Bearer Token
2016-06-22 20:22:28 +00:00
2016-11-15 21:34:20 +00:00
If the adapter is configured with the `bearer-only` configuration option, the policy enforcer decides whether a request
to access a protected resource is allowed or denied based on the permissions of the bearer token.
2016-06-22 20:22:28 +00:00
2016-11-15 21:34:20 +00:00
. HTTP GET example passing an RPT as a bearer token
2016-06-22 20:22:28 +00:00
```bash
GET /my-resource-server/my-protected-resource HTTP/1.1
Host: host.com
Authorization: Bearer ${RPT}
...
```
2016-11-15 21:34:20 +00:00
In this example, a *keycloak.json* file in your application is similar to the following:
2016-06-22 20:22:28 +00:00
.Example of WEB-INF/keycloak.json with the bearer-only configuration option
```json
...
"bearer-only" : true,
...
```
2017-10-09 06:38:46 +00:00
== Authorization Response
2016-06-22 20:22:28 +00:00
When a client tries to access a resource server with a bearer token that is lacking permissions to access a protected resource, the resource server
2016-11-15 21:34:20 +00:00
responds with a *401* status code and a `WWW-Authenticate` header. The value of the `WWW-Authenticate` header depends on the authorization protocol
2016-06-22 20:22:28 +00:00
in use by the resource server.
2016-11-15 21:34:20 +00:00
Here is an example of a response from a resource server that is using UMA as the authorization protocol:
2016-06-22 20:22:28 +00:00
```bash
HTTP/1.1 401 Unauthorized
2018-02-28 07:53:43 +00:00
WWW-Authenticate: UMA realm="photoz-restful-api",as_uri="https://${host}:${post}/auth/realms/${realm}",ticket="${PERMISSION_TICKET}"
2016-06-22 20:22:28 +00:00
```
2017-08-28 12:50:14 +00:00
Once a client receives a response from the server, it examines the status code and `WWW-Authenticate` header to obtain an RPT from the {project_name} Server.
