You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/03/05 07:30:38 UTC
[GitHub] [incubator-apisix] chnliyong commented on issue #1188: feature:
Support for OAuth User Managed Access Protocol(UMA) for Authorization
chnliyong commented on issue #1188: feature: Support for OAuth User Managed Access Protocol(UMA) for Authorization
URL: https://github.com/apache/incubator-apisix/issues/1188#issuecomment-595070533
Hi @sshniro ,
As I'm a little bit familiar with **Keycloak**, I've read the Keycloak [uma document](https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_user_managed_access) and [uma 2.0](https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-09.html#abstract-flow-fig).
Currently I'm not very clear about what **APISIX** should do in this flow? Is below description right for your scenario?
1. we access the resource provided by *Resource Server* through *APISIX*, and the response from the *Resource Server* is `401 Unauthorized` with `as_uri` and `ticket`
2. *APISIX* redirect to *Keycloak* then let the user interact(Authenticate) with *Keycloak* to get `access_token`
3. *APISIX* use the `as_uri`, `ticket`, `access_token` got at previous 2 steps to request *Keycloak* to get the **uma ticket**.
If above is your scenario, how the *uma ticket* would stored? Do we store it in cookie? Do you have any suggestion? And if you know some similar products supporting this, let me know. Thanks!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services