Sequence: RO: Acquire PAT - ForgeRock/frdp-uma-resource-server GitHub Wiki

The process:

Some UMA operations, mostly ones related to the Resource Owner (RO), require the use of a Protection API Token (PAT). The PAT is an OAuth 2 access token with a scope of uma_protection and it establishes a three-way relationship between the Resource Owner (RO), the Resource Server (RS) and the Authorization Server (AS).

The PAT is created for a given RO + RS + AS and should be persisted to support future UMA operations. The Resource Server (RS) will persist the PAT within its internal data store. The Resource Server (RS) will get or create a PAT as necessary to support UMA operations. This procedure can be explicitly invoked to illustration the PAT creation process or this process will be implicitly invoked when an UMA operation determines that a PAT is required.

The Resource Server (RS) submits a request to the Authorization Server (AS) to obtain the PAT. The access token (PAT) request must include credentials for the Resource Owner ... this is done by using a "grant type". This implementation will use the authorization_code grant type.

The sequence:

Resource Owner (RO) accesses an interface, the Resource Owner Application (ROA)
- If not authenticated, redirect user to authenticate with Authorization Server (AS)
- RO invokes an "action" (register resource, apply policy) that will require a PAT
Resource Server (RS) determines that a PAT is needed ... for the given RO + AS + RS
- Get data about the Resource Server (RS)
  - OAuth 2 client_id and client_secret
- Get data about the Authorization Server (AS)
  - URI endpoints
Need an "authorization code" for the authenticated Resource Owner (RO)
- Use the SSO header cookie to access the ForgeRock Access Manager /am/oauth2/authorization endpoint
  - set response_type to "code"
  - set scope = "uma_protection"
Get PAT ... Submit a POST request to the Authorization Server (AS) /am/oauth2/access_token
- Provide the following information:
  - grant_type = authorization_code
  - code = "the authorization code"
  - client_id = RS oauth2 client id
  - client_secret = RS oauth2 client secret
- The response includes the following data:
  - access_token (the PAT)
  - refresh_token
  - scope
  - token_type (Bearer)
  - expires_in
Save the PAT (token response data) to the RS internal Credential data store
The PAT is associated to the Resource Owner (RO)