Sequence: RO: Apply Policy - ForgeRock/frdp-uma-resource-server GitHub Wiki

The Process

The Resource Owner (RO) controls the "life cycle" of their resources. The management of an actual "resource" (create, read, update, delete) is out-of-scope for the User Managed Access (UMA) specification. The Resource Server (RS), from an UMA perspective, enables the Resource Owner (RO) register resources and apply policies. The Resource Server (RS) will enforce Requesting Party (RqP) access to the resources. Requesting Parties (RqP) will only be allowed to perform operations against resources that have a proper policy.

This Reference Implementation uses an external Content Server (CS) to manage actual resources / documents. The management of actual resources / documents could be provided as an embedded capability of the Resource Server (RS).

The Sequence

  • Resource Owner (RO) must be authenticated with the Authorization Server (AS)
    • This can be done prior to accessing the Resource Owner Application (ROA) with SSO Session or via an explicit login process
  • Resource Owner Application (ROA) issues a PUT request /manage/resources/{id}/policy to set policy on the resource
    • The request contains required and optional attributes that are used to perform operations.
  • Resource Server (RS) receives the request
    • Reads the resource's meta data
    • Resource Server (RS) applies a policy to the resource
      • To enable the "sharing" of a resource, a policy must be applied. The policy is a collection of permissions that declares which Requesting Parties (RqP) can perform what operations (via scopes). More than one Requesting Party (RqP) can be contained in a collection of permissions and each subject, in the collection, can have a different set of scopes.
  • Perform a PUT operation to the Authorization Server (AS) update the policy for the Resource Owner (RO)
    • Note: The resource policy, can be managed with the with the ForgeRock Access Manager interface, by the Resource Owner (RO)
    • The request requires the SSO Token Header/Cookie
  • Resource Server (RS) updates resource meta data that is associated with the actual resource / document
    • The resource meta data sets the state to "shared" and discoverable to "false". The state and discoverable attributes are used support Requesting Party (RqP) operations.
  • Resource Owner Application (ROA) receive response from policy operation
    • The interface is updated