keycloak-scim/authorization_services/topics/enforcer/keycloak-enforcement-bearer.adoc

[[_enforcer_bearer]]
==== Protecting a Stateless Service Using a Bearer Token

If the adapter is configured with the `bearer-only` configuration option, the policy enforcer decides whether a request
to access a protected resource is allowed or denied based on the permissions of the bearer token.

. HTTP GET example passing an RPT as a bearer token
```bash
GET /my-resource-server/my-protected-resource HTTP/1.1
Host: host.com
Authorization: Bearer ${RPT}
...
```

In this example, a *keycloak.json* file in your application is similar to the following:

.Example of WEB-INF/keycloak.json with the bearer-only configuration option
```json
...
"bearer-only" : true,
...
```

===== Authorization Response

When a client tries to access a resource server with a bearer token that is lacking permissions to access a protected resource, the resource server
responds with a *401* status code and a `WWW-Authenticate` header. The value of the `WWW-Authenticate` header depends on the authorization protocol
in use by the resource server.

Here is an example of a response from a resource server that is using UMA as the authorization protocol:

```bash
HTTP/1.1 401 Unauthorized
WWW-Authenticate: UMA realm="photoz-restful-api",as_uri="http://localhost:8080/auth/realms/photoz/authz/authorize",ticket="${PERMISSION_TICKET}"
```

And another example when the resource server is using the Entitlement protocol:

```bash
HTTP/1.1 401 Unauthorized
WWW-Authenticate: KC_ETT realm="photoz-restful-api",as_uri="http://localhost:8080/auth/realms/photoz/authz/entitlement"
```

Once  a client receives a response from the server, it examines the status code and `WWW-Authenticate` header to obtain an RPT from the {project_name} Server.
[RHSSO-599] - Replacing link with fake 2016-11-29 15:30:53 +00:00			`[[_enforcer_bearer]]`
fixing remaining header issues so TOC levels are correct 2016-12-02 16:58:27 +00:00			`==== Protecting a Stateless Service Using a Bearer Token`
More doc for policy enforcers 2016-06-22 20:22:28 +00:00
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			If the adapter is configured with the `bearer-only` configuration option, the policy enforcer decides whether a request
			`to access a protected resource is allowed or denied based on the permissions of the bearer token.`
More doc for policy enforcers 2016-06-22 20:22:28 +00:00
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`. HTTP GET example passing an RPT as a bearer token`
More doc for policy enforcers 2016-06-22 20:22:28 +00:00			```bash
			`GET /my-resource-server/my-protected-resource HTTP/1.1`
			`Host: host.com`
			`Authorization: Bearer ${RPT}`
			`...`
			```

General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`In this example, a keycloak.json file in your application is similar to the following:`
More doc for policy enforcers 2016-06-22 20:22:28 +00:00
			`.Example of WEB-INF/keycloak.json with the bearer-only configuration option`
			```json
			`...`
			`"bearer-only" : true,`
			`...`
			```

fixing remaining header issues so TOC levels are correct 2016-12-02 16:58:27 +00:00			`===== Authorization Response`
More doc for policy enforcers 2016-06-22 20:22:28 +00:00
			`When a client tries to access a resource server with a bearer token that is lacking permissions to access a protected resource, the resource server`
General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			responds with a 401 status code and a `WWW-Authenticate` header. The value of the `WWW-Authenticate` header depends on the authorization protocol
More doc for policy enforcers 2016-06-22 20:22:28 +00:00			`in use by the resource server.`

General cleanup and edits of the documentation 2016-11-15 21:34:20 +00:00			`Here is an example of a response from a resource server that is using UMA as the authorization protocol:`
More doc for policy enforcers 2016-06-22 20:22:28 +00:00
			```bash
			`HTTP/1.1 401 Unauthorized`
			`WWW-Authenticate: UMA realm="photoz-restful-api",as_uri="http://localhost:8080/auth/realms/photoz/authz/authorize",ticket="${PERMISSION_TICKET}"`
			```

			`And another example when the resource server is using the Entitlement protocol:`

			```bash
			`HTTP/1.1 401 Unauthorized`
			`WWW-Authenticate: KC_ETT realm="photoz-restful-api",as_uri="http://localhost:8080/auth/realms/photoz/authz/entitlement"`
			```

Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			Once a client receives a response from the server, it examines the status code and `WWW-Authenticate` header to obtain an RPT from the {project_name} Server.
More doc for policy enforcers 2016-06-22 20:22:28 +00:00