Sequence: RO: Acquire PAT - ForgeRock/frdp-uma-resource-server GitHub Wiki
The process:
Some UMA operations, mostly ones related to the Resource Owner (RO), require the use of a Protection API Token (PAT). The PAT is an OAuth 2 access token with a scope of uma_protection
and it establishes a three-way relationship between the Resource Owner (RO), the Resource Server (RS) and the Authorization Server (AS).
The PAT is created for a given RO + RS + AS and should be persisted to support future UMA operations. The Resource Server (RS) will persist the PAT within its internal data store. The Resource Server (RS) will get or create a PAT as necessary to support UMA operations. This procedure can be explicitly invoked to illustration the PAT creation process or this process will be implicitly invoked when an UMA operation determines that a PAT is required.
The Resource Server (RS) submits a request to the Authorization Server (AS) to obtain the PAT. The access token (PAT) request must include credentials for the Resource Owner ... this is done by using a "grant type". This implementation will use the authorization_code
grant type.
The sequence:
- Resource Owner (RO) accesses an interface, the Resource Owner Application (ROA)
- If not authenticated, redirect user to authenticate with Authorization Server (AS)
- RO invokes an "action" (register resource, apply policy) that will require a PAT
- Resource Server (RS) determines that a PAT is needed ... for the given RO + AS + RS
- Get data about the Resource Server (RS)
- OAuth 2
client_id
andclient_secret
- OAuth 2
- Get data about the Authorization Server (AS)
- URI endpoints
- Get data about the Resource Server (RS)
- Need an "authorization code" for the authenticated Resource Owner (RO)
- Use the SSO header cookie to access the ForgeRock Access Manager
/am/oauth2/authorization
endpoint- set
response_type
to "code" - set
scope
= "uma_protection"
- set
- Use the SSO header cookie to access the ForgeRock Access Manager
- Get PAT ... Submit a POST request to the Authorization Server (AS)
/am/oauth2/access_token
- Provide the following information:
grant_type
= authorization_codecode
= "the authorization code"client_id
= RS oauth2 client idclient_secret
= RS oauth2 client secret
- The response includes the following data:
access_token
(the PAT)refresh_token
scope
token_type
(Bearer)expires_in
- Provide the following information:
- Save the PAT (token response data) to the RS internal Credential data store
- The PAT is associated to the Resource Owner (RO)