keycloak-scim/authorization_services/topics/service-authorization-obtaining-permission-authentication.adoc

35 lines
1.7 KiB
Text
Raw Normal View History

2018-03-19 20:45:49 +00:00
[[_authentication_methods]]
= Client Authentication Methods
Clients need to authenticate to the token endpoint in order to obtain an RPT. When using the `urn:ietf:params:oauth:grant-type:uma-ticket`
grant type, clients can use any of these authentication methods:
* *Bearer Token*
+
Clients should send an access token as a Bearer credential in an HTTP Authorization header to the token endpoint.
+
.Example: an authorization request using an access token to authenticate to the token endpoint
```bash
curl -X POST \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-H "Authorization: Bearer ${access_token}" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
```
+
This method is especially useful when the client is acting on behalf of a user.
In this case, the bearer token is an access token previously issued by {project_name} to some client acting on behalf
of a user (or on behalf of itself). Permissions will be evaluated considering the access context represented by the access token.
For instance, if the access token was issued to Client A acting on behalf of User A, permissions will be granted depending on
the resources and scopes to which User A has access.
* *Client Credentials*
+
Client can use any of the client authentication methods supported by {project_name}. For instance, client_id/client_secret or JWT.
+
.Example: an authorization request using an access token to authenticate to the token endpoint
```bash
curl -X POST \
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
-H "Authorization: Basic cGhvdGg6L7Jl13RmfWgtkk==pOnNlY3JldA==" \
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
```