From ffdf7957cab6fe91eb5a1148c009e90c0658e233 Mon Sep 17 00:00:00 2001 From: Jen Malloy Date: Fri, 2 Dec 2016 11:58:27 -0500 Subject: [PATCH] fixing remaining header issues so TOC levels are correct --- SUMMARY.adoc | 2 +- topics/enforcer/authorization-context.adoc | 2 +- topics/enforcer/https.adoc | 6 +++--- topics/enforcer/js-adapter.adoc | 8 ++++---- topics/enforcer/keycloak-enforcement-bearer.adoc | 4 ++-- topics/permission/typed-resource-permission.adoc | 2 +- topics/resource-server/default-config.adoc | 2 +- topics/service/authorization/authorization-api-aapi.adoc | 4 ++-- topics/service/authorization/whatis-obtain-aat.adoc | 2 +- topics/service/entitlement/entitlement-api-aapi.adoc | 8 ++++---- topics/service/protection/permission-api-papi.adoc | 2 +- topics/service/protection/resources-api-papi.adoc | 2 +- topics/service/protection/whatis-obtain-pat.adoc | 2 +- 13 files changed, 23 insertions(+), 23 deletions(-) diff --git a/SUMMARY.adoc b/SUMMARY.adoc index d2cdf13982..276fa61986 100755 --- a/SUMMARY.adoc +++ b/SUMMARY.adoc @@ -80,7 +80,7 @@ .. link:topics/service/authorization/authorization-api.adoc[Authorization API] - ... link:topics/service/authorization/whatis-obtain-aat.adoc[What is a AAT and How to Obtain It] + ... link:topics/service/authorization/whatis-obtain-aat.adoc[What is an AAT and How to Obtain It] ... link:topics/service/authorization/authorization-api-aapi.adoc[Requesting Authorization Data and Token] diff --git a/topics/enforcer/authorization-context.adoc b/topics/enforcer/authorization-context.adoc index b3884bb15b..8053c71e49 100755 --- a/topics/enforcer/authorization-context.adoc +++ b/topics/enforcer/authorization-context.adoc @@ -1,5 +1,5 @@ [[_enforcer_authorization_context]] -=== Obtaining the Authorization Context +==== Obtaining the Authorization Context When policy enforcement is enabled, the permissions obtained from the server are available through `org.keycloak.AuthorizationContext`. This class provides several methods you can use to obtain permissions and ascertain whether a permission was granted for a particular resource or scope. diff --git a/topics/enforcer/https.adoc b/topics/enforcer/https.adoc index 1f04170bd7..1a727bba20 100644 --- a/topics/enforcer/https.adoc +++ b/topics/enforcer/https.adoc @@ -1,7 +1,7 @@ [[_enforcer_filter_using_https]] -=== Setting Up TLS/HTTPS +==== Setting Up TLS/HTTPS -When the server is using HTTPS, make sure your adapter is configured as follows: +When the server is using HTTPS, ensure your adapter is configured as follows: .keycloak.json ```json @@ -15,5 +15,5 @@ The configuration above enables TLS/HTTPS to the Authorization Client, making po {{book.project.name}} Server remotely using the HTTPS scheme. [NOTE] -Is strongly recommended that you enable TLS/HTTPS when accessing the {{book.project.name}} Server endpoints. +It is strongly recommended that you enable TLS/HTTPS when accessing the {{book.project.name}} Server endpoints. diff --git a/topics/enforcer/js-adapter.adoc b/topics/enforcer/js-adapter.adoc index f31991b2a6..41ad068153 100755 --- a/topics/enforcer/js-adapter.adoc +++ b/topics/enforcer/js-adapter.adoc @@ -1,5 +1,5 @@ [[_enforcer_js_adapter]] -=== JavaScript Integration +==== JavaScript Integration The {{book.project.name}} Server comes with a JavaScript library you can use to interact with a resource server protected by a policy enforcer. This library is based on the {{book.external_link.keycloakjsadapter.link}}[{{book.project.name}} {{book.external_link.keycloakjsadapter.name}}], which can be integrated to allow your client to obtain permissions from a {{book.project.name}} Server. @@ -26,7 +26,7 @@ The *keycloak-authz.js* library provides two main features: In both cases, the library allows you to easily interact with both resource server and {{book.project.name}} {{book.project.module}} to obtain tokens with permissions your client can use as bearer tokens to access the protected resources on a resource server. -==== Handling Authorization Responses from a Resource Server +===== Handling Authorization Responses from a Resource Server If a resource server is protected by a policy enforcer, it responds to client requests based on the permissions carried along with a <>. Typically, when you try to access a resource server with a bearer token that is lacking permissions to access a protected resource, the resource server @@ -56,7 +56,7 @@ The `authorize` function is completely asynchronous and supports a few callback Most applications should use the `onGrant` callback to retry a request after a 401 response. Subsequent requests should include the RPT as a bearer token for retries. -==== Obtaining Entitlements +===== Obtaining Entitlements The keycloak-authz.js library provides an `entitlement` function that you can use to obtain an RPT from the server using the Entitlement API. @@ -75,7 +75,7 @@ The `entitlement` function is completely asynchronous and supports a few callbac * `onDeny`: The second argument of the function. Only called if the server has denied the authorization request. * `onError`: The third argument of the function. Only called if the server responds unexpectedly. -==== Obtaining the RPT +===== Obtaining the RPT If you have already obtained an RPT using any of the authorization functions provided by the library, you can always obtain the RPT as follows from the authorization object (assuming that it has been initialized by one of the techniques shown earlier): diff --git a/topics/enforcer/keycloak-enforcement-bearer.adoc b/topics/enforcer/keycloak-enforcement-bearer.adoc index 69b42cf757..e5a5f345ef 100755 --- a/topics/enforcer/keycloak-enforcement-bearer.adoc +++ b/topics/enforcer/keycloak-enforcement-bearer.adoc @@ -1,5 +1,5 @@ [[_enforcer_bearer]] -=== Protecting a Stateless Service Using a Bearer Token +==== Protecting a Stateless Service Using a Bearer Token If the adapter is configured with the `bearer-only` configuration option, the policy enforcer decides whether a request to access a protected resource is allowed or denied based on the permissions of the bearer token. @@ -21,7 +21,7 @@ In this example, a *keycloak.json* file in your application is similar to the fo ... ``` -==== Authorization Response +===== Authorization Response When a client tries to access a resource server with a bearer token that is lacking permissions to access a protected resource, the resource server responds with a *401* status code and a `WWW-Authenticate` header. The value of the `WWW-Authenticate` header depends on the authorization protocol diff --git a/topics/permission/typed-resource-permission.adoc b/topics/permission/typed-resource-permission.adoc index 3d5d8b03dd..39c51f4494 100755 --- a/topics/permission/typed-resource-permission.adoc +++ b/topics/permission/typed-resource-permission.adoc @@ -1,5 +1,5 @@ [[_permission_typed_resource]] -=== Typed Resource Permission +==== Typed Resource Permission Resource permissions can also be used to define policies that are to be applied to all resources with a given <>. This form of resource-based permission can be useful when you have resources sharing common access requirements and constraints. diff --git a/topics/resource-server/default-config.adoc b/topics/resource-server/default-config.adoc index 9f3cbe51c5..ab1c1f03ce 100755 --- a/topics/resource-server/default-config.adoc +++ b/topics/resource-server/default-config.adoc @@ -41,6 +41,6 @@ image:../../images/resource-server/default-permission.png[alt="Default Permissio This permission is a <>, defining a set of one or more policies that are applied to all resources with a given type. -=== Changing the Default Configuration +==== Changing the Default Configuration You can change the default configuration by removing the default resource, policy, or permission definitions and creating your own. \ No newline at end of file diff --git a/topics/service/authorization/authorization-api-aapi.adoc b/topics/service/authorization/authorization-api-aapi.adoc index e6e55dea64..65f2ca4006 100755 --- a/topics/service/authorization/authorization-api-aapi.adoc +++ b/topics/service/authorization/authorization-api-aapi.adoc @@ -1,5 +1,5 @@ [[_service_authorization_api_aapi]] -=== Requesting Authorization Data and Token +==== Requesting Authorization Data and Token Client applications using the UMA protocol can use a specific endpoint to obtain a special security token called a requesting party token (RPT). This token consists of all the permissions granted to a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested. @@ -27,7 +27,7 @@ As a result, the server response is: {"rpt":"${RPT}"} ``` -==== Requesting Party Token +===== Requesting Party Token A Requesting Party Token (RPT) is a https://tools.ietf.org/html/rfc7519[JSON web token (JWT)] digitally signed using https://www.rfc-editor.org/rfc/rfc7515.txt[JSON Web Signature (JWS)]. The token is built based on the AAT sent by the client during the authorization process. diff --git a/topics/service/authorization/whatis-obtain-aat.adoc b/topics/service/authorization/whatis-obtain-aat.adoc index c8d8319bab..b4f5fa9eaa 100755 --- a/topics/service/authorization/whatis-obtain-aat.adoc +++ b/topics/service/authorization/whatis-obtain-aat.adoc @@ -1,5 +1,5 @@ [[_service_authorization_aat]] -=== What is a AAT and How to Obtain It +==== What is an AAT and How to Obtain It An authorization API token (AAT) is a special OAuth2 access token with the scope *uma_authorization*. When you create a user, {{book.project.name}} automatically assigns the role _uma_authorization_ to the user. The _uma_authorization_ role is a default realm role. diff --git a/topics/service/entitlement/entitlement-api-aapi.adoc b/topics/service/entitlement/entitlement-api-aapi.adoc index f2812c4005..6a7cdbf495 100755 --- a/topics/service/entitlement/entitlement-api-aapi.adoc +++ b/topics/service/entitlement/entitlement-api-aapi.adoc @@ -1,5 +1,5 @@ [[_service_entitlement_api_aapi]] -=== Requesting Entitlements +==== Requesting Entitlements Client applications can use a specific endpoint to obtain a special security token called a requesting party token (RPT). This token consists of all the entitlements (or permissions) for a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested. @@ -9,7 +9,7 @@ With an RPT, client applications can gain access to protected resources at the r http://${host}:${port}/auth/realms/${realm_name}/authz/entitlement ``` -==== Obtaining Entitlements +===== Obtaining Entitlements The easiest way to obtain entitlements for a specific user is using an HTTP GET request. For example, using curl: @@ -35,7 +35,7 @@ As a result, the server response is: Using this method to obtain entitlements, the server responds to the requesting client with *all* entitlements for a user, based on the evaluation of the permissions and authorization policies associated with the resources managed by the resource server. -==== Obtaining Entitlements for a Specific Set of Resources +===== Obtaining Entitlements for a Specific Set of Resources You can also use the entitlements endpoint to obtain a user's entitlements for a set of one or more resources. For example, using curl: @@ -75,7 +75,7 @@ curl -X POST -H "Authorization: Bearer ${access_token}" -d '{ }' "http://localhost:8080/auth/realms/hello-world-authz/authz/entitlement/hello-world-authz-service" ``` -==== Requesting Party Token +===== Requesting Party Token A requesting party token (RPT) is a https://tools.ietf.org/html/rfc7519[JSON web token (JWT)] digitally signed using https://www.rfc-editor.org/rfc/rfc7515.txt[JSON web signature (JWS)]. The token is built based on the access_token sent by the client during the authorization process. diff --git a/topics/service/protection/permission-api-papi.adoc b/topics/service/protection/permission-api-papi.adoc index d560aecdd1..9a50c48d77 100755 --- a/topics/service/protection/permission-api-papi.adoc +++ b/topics/service/protection/permission-api-papi.adoc @@ -1,5 +1,5 @@ [[_service_protection_permission_api_papi]] -=== Managing Permission Requests +==== Managing Permission Requests Resource servers using the UMA protocol can use a specific endpoint to manage permission requests. This endpoint provides a UMA-compliant flow for registering permission requests and obtaining a permission ticket. diff --git a/topics/service/protection/resources-api-papi.adoc b/topics/service/protection/resources-api-papi.adoc index 07768517eb..2d94bc47a3 100755 --- a/topics/service/protection/resources-api-papi.adoc +++ b/topics/service/protection/resources-api-papi.adoc @@ -1,5 +1,5 @@ [[_service_protection_resources_api]] -=== Managing Resources +==== Managing Resources Resource servers can manage their resources remotely using a UMA-compliant endpoint. diff --git a/topics/service/protection/whatis-obtain-pat.adoc b/topics/service/protection/whatis-obtain-pat.adoc index 3c51353371..a156d163b5 100755 --- a/topics/service/protection/whatis-obtain-pat.adoc +++ b/topics/service/protection/whatis-obtain-pat.adoc @@ -1,5 +1,5 @@ [[_service_protection_whatis_obtain_pat]] -=== What is a PAT and How to Obtain It +==== What is a PAT and How to Obtain It A *protection API token* (PAT) is a special OAuth2 access token with a scope defined as *uma_protection*. When you create a resource server, {{book.project.name}} automatically creates a role, _uma_protection_, for the corresponding client application and associates it with the client's service account.