38 lines
No EOL
1.6 KiB
Text
Executable file
38 lines
No EOL
1.6 KiB
Text
Executable file
[[_service_authorization_aat]]
|
|
== Authorization API Token
|
|
|
|
An authorization API token (AAT) is a special OAuth2 access token with the scope *uma_authorization*. When you create a user, {{book.project.name}} automatically
|
|
assigns the role _uma_authorization_ to the user. The _uma_authorization_ role is a default realm role.
|
|
|
|
.Default Role uma_authorization
|
|
image:../../../images/service/rs-uma-authorization-role.png[alt="Default Role uma_authorization "]
|
|
|
|
An AAT enables a client application to query the server for user permissions.
|
|
|
|
Client applications can obtain an AAT from {{book.project.name}} like any other OAuth2 access token. Usually, client applications obtain AATs after the user is successfully
|
|
authenticated in {{book.project.name}}. By default, the _authorization_code_ grant type is used to authenticate users, and the server will issue an OAuth2 access token to the client application acting on their behalf.
|
|
|
|
The example below uses the Resource Owner Password Credentials Grant Type to request an AAT:
|
|
|
|
```bash
|
|
curl -X POST \
|
|
-H "Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpwYXNzd29yZA==" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
-d 'username=${username}&password=${user_password}&grant_type=password' \
|
|
"http://localhost:8080/auth/realms/${realm_name}/protocol/openid-connect/token"
|
|
```
|
|
|
|
As a result, the server response is:
|
|
|
|
```json
|
|
{
|
|
"access_token": ${AAT},
|
|
"expires_in": 300,
|
|
"refresh_expires_in": 1800,
|
|
"refresh_token": ${refresh_token},
|
|
"token_type": "bearer",
|
|
"id_token": ${id_token},
|
|
"not-before-policy": 0,
|
|
"session_state": "3cad2afc-855b-47b7-8e4d-a21c66e312fb"
|
|
}
|
|
``` |