Protection API


Protection API is defined in User Managed Access and requires the Authorization Server MUST present an HTTP-based Protection API, protected by TLS and OAuth 2.0 (or an OAuth-based authentication protocol), for use by Resource Servers.

The Authorization Server thus has an OAuth Token_endpoint and Authorization_endpoint. The Authorization Server MUST declare all of its Protection API endpoints in its Uma-configuration.

The Protection API consists of three Endpoints:

An Entity seeking Protection API access MUST have the OAuth Scopes "uma_protection". An Access Token with at least this OAuth Scope is called a Protection API Token (PAT) and an entity that can acquire an Access Token with this OAuth Scopes is by definition a Resource Server. A single Entity can serve in both Resource Server and OAuth Client roles if it has Access Tokens with the appropriate OAuth Scopes. If a request to an endpoint fails due to an invalid, missing, or expired Protection API Token, or requires higher privileges at this Endpoint than provided by the Protection API Token, the Authorization Server responds with an OAuth Error.

The Authorization Server MUST support the OAuth 2.0 Bearer Token profile for Protection API Token issuance, and MAY support other OAuth Token Profiles. The Authorization Server MUST declare all supported OAuth Token Profiles and Grant Types for Protection API Token issuance in its configuration data. Any OAuth authorization Grant Type might be appropriate depending on circumstances; for example, the Client Credentials Grant is useful in the case of an organization acting as a Resource Owner. UMA ImplementerS Guide discusses grant options further.

A Protection API Token binds a Resource Owner, a Resource Server the owner uses for resource management, and an Authorization Server the owner uses for protection of resources at this Resource Server. It is not specific to any client or Requesting Party. The issuance of a Protection API Token represents the approval of the Resource Owner for this Resource Server to use this Authorization Server for protecting some or all of the Protected Resources belonging to this Resource Owner.

More Information#

There might be more information for this subject on one of the following: