keycloak-scim/topics/service/authorization/whatis-obtain-aat.adoc

== What is a AAT and How to Obtain it ?

An *Authorization API Token* or *AAT* is a special OAuth2 Access Token with the scope *uma_authorization*. When you create an user, {{book.project.name}} automatically
assigns a role _uma_authorization_ to the user. The _uma_authorization_ role is a _default realm role_ as you can see from this page.

.Default Role uma_authorization
image:../../../images/service/rs-uma-authorization-role.png[alt="Default Role uma_authorization "]

An AAT means that a client application is allowed to query the server for user permissions.

Client applications can obtain an AAT from {{book.project.name}} just like any other OAuth2 Access Token. Usually, client applications obtain AATs after the user is successfully
authenticated in {{book.project.name}}. By default the _authorizaton_code_ grant type is used to authenticate users and issue an OAuth2 Access Token to the client application acting on their behalf.

For demonstrations purposes, the example below uses Resource Owner Password Credentials Grant Type to ask for a AAT.

```bash
curl -X POST \
    -H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'username=${username}&password=${user_password}&grant_type=password' \
    "http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
```

As a result, you will get the following response from the server:

```json
{
  "access_token": ${AAT},
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": ${refresh_token},
  "token_type": "bearer",
  "id_token": ${id_token},
  "not-before-policy": 0,
  "session_state": "3cad2afc-855b-47b7-8e4d-a21c66e312fb"
}
```
More doc 2016-06-05 22:17:31 +00:00			`== What is a AAT and How to Obtain it ?`

Changes to service topics. 2016-06-16 17:28:05 +00:00			`An Authorization API Token or AAT is a special OAuth2 Access Token with the scope uma_authorization. When you create an user, {{book.project.name}} automatically`
			`assigns a role _uma_authorization_ to the user. The _uma_authorization_ role is a _default realm role_ as you can see from this page.`

			`.Default Role uma_authorization`
			`image:../../../images/service/rs-uma-authorization-role.png[alt="Default Role uma_authorization "]`

			`An AAT means that a client application is allowed to query the server for user permissions.`
More doc 2016-06-05 22:17:31 +00:00
More screenshots. Reviewing getting started tutorials. 2016-06-14 23:50:50 +00:00			`Client applications can obtain an AAT from {{book.project.name}} just like any other OAuth2 Access Token. Usually, client applications obtain AATs after the user is successfully`
			`authenticated in {{book.project.name}}. By default the _authorizaton_code_ grant type is used to authenticate users and issue an OAuth2 Access Token to the client application acting on their behalf.`
More doc 2016-06-05 22:17:31 +00:00
			`For demonstrations purposes, the example below uses Resource Owner Password Credentials Grant Type to ask for a AAT.`

			```bash
			`curl -X POST \`
			`-H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \`
			`-H "Content-Type: application/x-www-form-urlencoded" \`
			`-d 'username=${username}&password=${user_password}&grant_type=password' \`
			`"http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"`
			```

			`As a result, you will get the following response from the server:`

			```json
			`{`
			`"access_token": ${AAT},`
			`"expires_in": 300,`
			`"refresh_expires_in": 1800,`
			`"refresh_token": ${refresh_token},`
			`"token_type": "bearer",`
			`"id_token": ${id_token},`
			`"not-before-policy": 0,`
			`"session_state": "3cad2afc-855b-47b7-8e4d-a21c66e312fb"`
			`}`
Changes to service topics. 2016-06-16 17:28:05 +00:00			```