2018-03-19 20:45:49 +00:00
|
|
|
[[_authentication_methods]]
|
2018-02-28 07:53:43 +00:00
|
|
|
= Client Authentication Methods
|
|
|
|
|
|
|
|
Clients need to authenticate to the token endpoint in order to obtain an RPT. When using the `urn:ietf:params:oauth:grant-type:uma-ticket`
|
|
|
|
grant type, clients can use any of these authentication methods:
|
|
|
|
|
|
|
|
* *Bearer Token*
|
|
|
|
+
|
|
|
|
Clients should send an access token as a Bearer credential in an HTTP Authorization header to the token endpoint.
|
|
|
|
+
|
|
|
|
.Example: an authorization request using an access token to authenticate to the token endpoint
|
|
|
|
```bash
|
|
|
|
curl -X POST \
|
|
|
|
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
|
|
|
|
-H "Authorization: Bearer ${access_token}" \
|
|
|
|
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
|
|
|
|
```
|
|
|
|
+
|
|
|
|
This method is especially useful when the client is acting on behalf of a user.
|
|
|
|
In this case, the bearer token is an access token previously issued by {project_name} to some client acting on behalf
|
|
|
|
of a user (or on behalf of itself). Permissions will be evaluated considering the access context represented by the access token.
|
|
|
|
For instance, if the access token was issued to Client A acting on behalf of User A, permissions will be granted depending on
|
|
|
|
the resources and scopes to which User A has access.
|
|
|
|
|
|
|
|
* *Client Credentials*
|
|
|
|
+
|
|
|
|
Client can use any of the client authentication methods supported by {project_name}. For instance, client_id/client_secret or JWT.
|
|
|
|
+
|
|
|
|
.Example: an authorization request using an access token to authenticate to the token endpoint
|
|
|
|
```bash
|
|
|
|
curl -X POST \
|
|
|
|
http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
|
|
|
|
-H "Authorization: Basic cGhvdGg6L7Jl13RmfWgtkk==pOnNlY3JldA==" \
|
|
|
|
--data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"
|
|
|
|
```
|