867eff3e5d
* [KEYCLOAK-3169] - Updating authz services doc * [KEYCLOAK-3169] - Section about changes to user account service * [KEYCLOAK-3169] - Removing UMA 1.0 references * [KEYCLOAK-3169] - RH-SSO images * [KEYCLOAK-3169] - Updating Keycloak images * [KEYCLOAK-3169] - Review * [KEYCLOAK-3169] - Review
37 lines
1.4 KiB
Text
37 lines
1.4 KiB
Text
[[_enforcer_bearer]]
|
|
= Protecting a Stateless Service Using a Bearer Token
|
|
|
|
If the adapter is configured with the `bearer-only` configuration option, the policy enforcer decides whether a request
|
|
to access a protected resource is allowed or denied based on the permissions of the bearer token.
|
|
|
|
. HTTP GET example passing an RPT as a bearer token
|
|
```bash
|
|
GET /my-resource-server/my-protected-resource HTTP/1.1
|
|
Host: host.com
|
|
Authorization: Bearer ${RPT}
|
|
...
|
|
```
|
|
|
|
In this example, a *keycloak.json* file in your application is similar to the following:
|
|
|
|
.Example of WEB-INF/keycloak.json with the bearer-only configuration option
|
|
```json
|
|
...
|
|
"bearer-only" : true,
|
|
...
|
|
```
|
|
|
|
== Authorization Response
|
|
|
|
When a client tries to access a resource server with a bearer token that is lacking permissions to access a protected resource, the resource server
|
|
responds with a *401* status code and a `WWW-Authenticate` header. The value of the `WWW-Authenticate` header depends on the authorization protocol
|
|
in use by the resource server.
|
|
|
|
Here is an example of a response from a resource server that is using UMA as the authorization protocol:
|
|
|
|
```bash
|
|
HTTP/1.1 401 Unauthorized
|
|
WWW-Authenticate: UMA realm="photoz-restful-api",as_uri="https://${host}:${post}/auth/realms/${realm}",ticket="${PERMISSION_TICKET}"
|
|
```
|
|
|
|
Once a client receives a response from the server, it examines the status code and `WWW-Authenticate` header to obtain an RPT from the {project_name} Server.
|