keycloak-scim/topics/service/protection/whatis-obtain-pat.adoc

36 lines
1.6 KiB
Text
Raw Normal View History

== What is a PAT and How to Obtain It?
2016-06-05 22:17:31 +00:00
A *Protection API Token* (PAT) is a special OAuth2 Access Token with a scope defined as *uma_protection*. When you create a resource server, {{book.project.name}} automatically
creates a role _uma_protection_ for the corresponding client application and associates it with the client's service account.
2016-06-16 17:08:04 +00:00
.Service Account granted with *uma_protection* role
2016-06-16 17:08:04 +00:00
image:../../../images/service/rs-uma-protection-role.png[alt="Service Account granted with uma_protection role"]
2016-06-05 22:17:31 +00:00
Resource servers can obtain a PAT from {{book.project.name}} just like any other OAuth2 Access Token. For example, using curl:
2016-06-05 22:17:31 +00:00
```bash
curl -X POST \
-H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d 'grant_type=client_credentials' \
"http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
```
The example above is using the *client_credentials* grant type to obtain a PAT from the server. As a result, the server would return a response similar to the following:
2016-06-05 22:17:31 +00:00
[NOTE]
{{book.project.name}} can authenticate your client application in different ways. We are using *client_credentials* grant type for the sake of simplicity,
which basically requires a _client_id_ and a _client_secret_. You can choose any other supported authentication method.
2016-06-05 22:17:31 +00:00
```bash
{
"access_token": ${PAT},
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": ${refresh_token},
"token_type": "bearer",
"id_token": ${id_token},
"not-before-policy": 0,
"session_state": "ccea4a55-9aec-4024-b11c-44f6f168439e"
}
2016-06-16 17:08:04 +00:00
```