Overview#Protection API is defined in User Managed Access and requires the Authorization Server MUST present an HTTP-based Protection API, protected by TLS and OAuth 2.0 (or an OAuth-based authentication protocol), for use by Resource Servers.
The protection API consists of three Endpoints:
- Resource Set Registration Endpoint as defined by Auth 2.0 Resource Set Registration
- Permission Registration Endpoint as defined by Section 3.2
- Token Introspection Endpoint as defined by OAuth 2.0 Token Introspection
An Entity seeking Protection API access MUST have the OAuth Scopes "uma_protection". An Access Token with at least this OAuth Scope is called a Protection API Token (PAT) and an entity that can acquire an Access Token with this OAuth Scopes is by definition a Resource Server. A single Entity can serve in both Resource Server and OAuth Client roles if it has Access Tokens with the appropriate OAuth Scopes. If a request to an endpoint fails due to an invalid, missing, or expired Protection API Token, or requires higher privileges at this Endpoint than provided by the Protection API Token, the Authorization Server responds with an OAuth Error.
The Authorization Server MUST support the OAuth 2.0 Bearer Token profile for Protection API Token issuance, and MAY support other OAuth Token Profiles. The Authorization Server MUST declare all supported OAuth Token Profiles and Grant Types for Protection API Token issuance in its configuration data. Any OAuth authorization Grant Type might be appropriate depending on circumstances; for example, the Client Credentials Grant is useful in the case of an organization acting as a Resource Owner. UMA-Impl discusses grant options further.
A Protection API Token binds a Resource Owner, a Resource Server the owner uses for resource management, and an Authorization Server the owner uses for protection of resources at this Resource Server. It is not specific to any client or Requesting Party. The issuance of a Protection API Token represents the approval of the Resource Owner for this Resource Server to use this Authorization Server for protecting some or all of the Protected Resources belonging to this Resource Owner.