<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is defined in [User Managed Access|User-Managed Access] and requires the [Authorization Server] MUST present an HTTP-based [{$pagename}], protected by [TLS] and [OAuth 2.0] (or an OAuth-based authentication protocol), for use by [Resource Servers]. 

The [Authorization Server] thus has an OAuth [Token_endpoint] and [Authorization_endpoint]. The [Authorization Server] [MUST] declare all of its [{$pagename}] [endpoints] in its [Uma-configuration].

The [{$pagename}] consists of three [Endpoints]:

* [Resource Set Registration Endpoint|Resource_set_registration_endpoint] as defined by [Auth 2.0 Resource Set Registration]
* [Permission Registration Endpoint|Permission_registration_endpoint] as defined by Section 3.2
* [Token Introspection Endpoint] as defined by [OAuth 2.0 Token Introspection]

An [Entity] seeking [{$pagename}] access __MUST__ have the [OAuth Scopes] &quot;[uma_protection]&quot;. An [Access Token] with at least this [OAuth Scope] is called a [Protection API Token] (PAT) and an entity that can acquire an [Access Token] with this [OAuth Scopes] is by definition a [Resource Server]. A single [Entity] can serve in both [Resource Server] and [OAuth Client] roles if it has [Access Tokens] with the appropriate [OAuth Scopes]. If a request to an endpoint fails due to an invalid, missing, or expired [Protection API Token], or requires [higher privileges|Level Of Assurance] at this [Endpoint] than provided by the [Protection API Token], the [Authorization Server] responds with an [OAuth Error].

The [Authorization Server] __MUST__ support the [OAuth 2.0] [Bearer Token] profile for [Protection API Token] issuance, and MAY support other [OAuth Token Profiles]. The [Authorization Server] MUST declare all supported [OAuth Token Profiles] and [Grant Types] for [Protection API Token] issuance in its [configuration data|Uma-configuration]. Any OAuth authorization [Grant Type] might be appropriate depending on circumstances; for example, the [Client Credentials Grant] is useful in the case of an organization acting as a [Resource Owner]. [UMA ImplementerS Guide|UMA Implementer Guide] discusses grant options further.

A [Protection API Token] binds a [Resource Owner], a [Resource Server] the owner uses for resource management, and an [Authorization Server] the owner uses for protection of resources at this [Resource Server]. It is not specific to any client or [Requesting Party]. The issuance of a [Protection API Token] represents the approval of the [Resource Owner] for this [Resource Server] to use this [Authorization Server] for protecting some or all of the [Protected Resources] belonging to this [Resource Owner].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>