Overview#User-Managed Access defines the Authorization Server MUST present an HTTP-based Authorization API, protected by TLS and OAuth 2.0 (or an OAuth-based authentication protocol), for use by OAuth Clients. The Authorization Server thus has an OAuth Token_endpoint and Authorization_endpoint. The Authorization Server MUST declare its Authorization API Endpoint in its Uma-configuration data.
An Entity seeking Authorization API access MUST have the OAuth Scope "uma_authorization". An Access Token with at least this OAuth Scope is called an Authorization API Token (AAT) and an entity that can acquire an Authorization API Token is by definition a OAuth Client. A single entity can serve in both Resource Server and OAuth Client roles if it has Access Tokens with the appropriate OAuth Scopes. If a request to an Endpoint fails due to an invalid, missing, or expired Authorization API Token, or requires higher privileges at this endpoint than provided by the Authorization API Token, the Authorization Server responds with an OAuth Error.
The Authorization Server MUST support the OAuth Bearer Token Profile for Authorization API Token issuance, and MAY support other OAuth Token Profiles. The Authorization Server MUST declare all supported OAuth Token Profiles and Grant Types for Authorization API Token issuance in its uma-configuration data. Any OAuth authorization grant type might be appropriate depending on circumstances; for example, the Client Credentials Grant is useful in the case of an organization acting as a Requesting Party. UMA-Impl discusses grant options further.
An Authorization API Token binds a Requesting Party, a OAuth Client being used by that party, and an Authorization Server that protects resources this OAuth Client is seeking access to on this Requesting Party's behalf. It is not specific to any Resource Server or Resource Owner. The issuance of an AAT represents the approval of this Requesting Party for this OAuth Client to engage with this Authorization Server to supply claims, ask for Authorization, and perform any other tasks needed for obtaining authorization for access to Protected Resources at all Resource Servers that use this Authorization Server. The Authorization Server is able to manage future processes of authorization and claims-caching efficiently for this OAuth Client/Requesting Party pair across all Resource Servers they try to access; however, these management processes are outside the scope of this specification.