Access Management 7.3.2

UMA actors

To allow UMA flows in your environment, you must first configure the UMA actors. You might already be familiar with some of these actors, such as the OAuth 2.0 provider, and the OAuth 2.0 clients.

Although the UMA provider is one of the actors, this role in AM is divided between the OAuth2 provider service and the UMA provider service, as you will see next.

To set up AM as an example UMA provider, resource server, and client, see the UMA use case instead.

The OAuth 2.0/OpenID Connect provider

As an extension of the OAuth 2.0 and OpenID Connect specifications, the AM authorization server is responsible for providing protection API access tokens (PATs), and requesting party access tokens (RPTs) and ID tokens for UMA clients.

To configure the OAuth 2.0/OpenID Connect provider, see:

UMA provider

Configure the UMA provider by realm to expose UMA-related endpoints, and to configure UMA-related properties that are not exposed in the OAuth 2.0 provider.

The service’s defaults are suitable for most situations and strike a good balance between security and ease of use.

To configure the service, in the AM admin UI, go to Realms > Realm Name > Services, and add an UMA Provider service.

For information about the available attributes, see UMA Provider.

Resource server

You need a server to let the end user register their resources and share them. The resource server can be an AM instance, a third-party service, or Identity Gateway.

Regardless of where the resource server is, it needs an UMA client that is registered in AM and configured as the UMA provider.

UMA clients

Configure OAuth 2.0 clients to work as a resource server agent, a requesting party, and a resource owner.

Special scopes:

  • The uma_protection Scope.

    Clients requiring a protection API access token (PAT) must be configured with the uma_protection scope. This scope tells AM that the token is a PAT, and not a regular access token.

  • The openid Scope.

    Clients performing the UMA grant require the link:openid scope, since AM will provide the claims that UMA requires inside an ID token.

For more information about registering clients, see Client application registration.