This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Protection API
Protection API

Version management

Difference between version and

At line 1 added 20 lines
!!! Overview
[{$pagename}] is defined in [User Managed Access|User-Managed Access] and requires the [Authorization Server] MUST present an HTTP-based [{$pagename}], protected by [TLS] and [OAuth 2.0] (or an OAuth-based authentication protocol), for use by [Resource Servers].
The [Authorization Server] thus has an OAuth [Token_endpoint] and [Authorization_endpoint]. The [Authorization Server] [MUST] declare all of its [{$pagename}] [endpoints] in its [Uma-configuration].
The [{$pagename}] consists of three [Endpoints]:
* [Resource Set Registration Endpoint|Resource_set_registration_endpoint] as defined by [Auth 2.0 Resource Set Registration]
* [Permission Registration Endpoint|Permission_registration_endpoint] as defined by Section 3.2
* [Token Introspection Endpoint] as defined by [OAuth 2.0 Token Introspection]
An [Entity] seeking [{$pagename}] access __MUST__ have the [OAuth Scopes] "[uma_protection]". An [Access Token] with at least this [OAuth Scope] is called a [Protection API Token] (PAT) and an entity that can acquire an [Access Token] with this [OAuth Scopes] is by definition a [Resource Server]. A single [Entity] can serve in both [Resource Server] and [OAuth Client] roles if it has [Access Tokens] with the appropriate [OAuth Scopes]. If a request to an endpoint fails due to an invalid, missing, or expired [Protection API Token], or requires [higher privileges|Level Of Assurance] at this [Endpoint] than provided by the [Protection API Token], the [Authorization Server] responds with an [OAuth Error].
The [Authorization Server] __MUST__ support the [OAuth 2.0] [Bearer Token] profile for [Protection API Token] issuance, and MAY support other [OAuth Token Profiles]. The [Authorization Server] MUST declare all supported [OAuth Token Profiles] and [Grant Types] for [Protection API Token] issuance in its [configuration data|Uma-configuration]. Any OAuth authorization [Grant Type] might be appropriate depending on circumstances; for example, the [Client Credentials Grant] is useful in the case of an organization acting as a [Resource Owner]. [UMA ImplementerS Guide|UMA Implementer Guide] discusses grant options further.
A [Protection API Token] binds a [Resource Owner], a [Resource Server] the owner uses for resource management, and an [Authorization Server] the owner uses for protection of resources at this [Resource Server]. It is not specific to any client or [Requesting Party]. The issuance of a [Protection API Token] represents the approval of the [Resource Owner] for this [Resource Server] to use this [Authorization Server] for protecting some or all of the [Protected Resources] belonging to this [Resource Owner].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop