ForgeRock Demonstration Platform : UMA Client Proxy : A gateway and "REST proxy" for User-Managed Access (UMA) 2.0 Requesting Party Clients. The UMA Client Proxy provides a simplified interface to the UMA 2.0 Grant for OAuth 2.0 Authorization flow.
A typical UMA client flow has the following steps:
- The Requesting Party (using the Client Application) makes a request to obtain the "resource", from the Resource Server. The Resource Server returns a
Permission Ticket
because of either a missing or invalidRequesting Party Token (RPT)
. - The Requesting Party needs to authenticate with the Authorization Server and obtain an OAuth
authorization code
. - The
authorization code
and the Client OAuth credentials are used to obtain aClaim Token
from the Authorization Server. - Using the
Permission Ticket
and theClaim Token
... theRequesting Party Token (RPT)
is obtained from the Authorization Server. - With a valid
Requesting Party Token (RPT)
... the request for the "resource" is re-submitted to the Resource Server. The "resource" is returned.
Each UMA Requesting Party Client Application will need to implement all of these steps to support the UMA flow. The UMA Client Proxy simplifies Client Application development. A single REST call is made. The UMA Client Proxy can cache Requesting Party Tokens (RPT)
for improved performance.
Direct Client flow | Proxy flow |
---|---|
git clone https://github.com/ForgeRock/frdp-uma-client-proxy.git
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
- Specification: User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization
- Specification: Federated Authorization for User-Managed Access (UMA) 2.0
- Documentation: ForgeRock Access Manager 7, User Managed Access (UMA) 2.0 Guide
This repository supports multiple sub-projects:
Name | Description |
---|---|
gateway |
The core logic for processing the UMA Client flow and supports caching. The output is a JAR file which provides Java classes that can be used by a stand-alone REST service or embedded into an existing service. |
proxy |
The REST web service that provides the simplified interface for the UMA Client Application. This project leverages the gateway project. |
The following items must be installed:
- Apache Maven (tested with 3.5.x, 3.6.x)
- Java Development Kit 11
- Apache Tomcat (tested with Tomcat 9.0.x)
- ForgeRock Access Manager (tested with 7.0)
- UMA Resource Server
The following items must be completed, in the following order:
- frdp-framework ... clone / download then install using Maven (
mvn
)
Run Maven (mvn
) processes to clean, compile and install the jar file:
cd gateway
mvn clean compile install
Packages are added to the user's home folder:
find ~/.m2/repository/com/forgerock/frdp/uma/client-gateway
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/maven-metadata-local.xml
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/1.2.0
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/1.2.0/client-gateway-1.2.0.jar
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/1.2.0/client-gateway-1.2.0.pom
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/1.2.0/_remote.repositories
Use the TestGateway.java
program to confirm the gateway is configured and operational. There must be a properly configured Authorization Server and Resource Server. Edit the target/classes/gateway.properties
file to match the deployed servers. You will need to set the following properties:
rs.connect.protocol http
rs.connect.host rs.example.com
rs.connect.port 8090
as.connect.protocol http
as.connect.host as.example.com
as.connect.port 8080
as.oauth2.client.id UMA-RqP
as.oauth2.client.secret password
as.oauth2.client.redirect http://rqp.example.com/requesting-party
Run the test.sh
script which sets the Java classpath and runs the TestGateway
program:
./test.sh
Feb 26, 2021 11:02:24 AM com.forgerock.frdp.uma.client.CachingGateway$CacheCleaner <init>
INFO: com.forgerock.frdp.uma.client.CachingGateway$CacheCleaner created
...
Run Maven (mvn
) processes to clean, compile and package the war file:
cd proxy
mvn clean compile package
The package process creates a deployable war file, in the current directory: ./target:
ls -la ./target
total 21040
drwxr-xr-x 6 scott.fehrman staff 192 Feb 25 21:05 .
drwxr-xr-x 10 scott.fehrman staff 320 Feb 25 21:05 ..
drwxr-xr-x 3 scott.fehrman staff 96 Feb 25 21:05 classes
drwxr-xr-x 3 scott.fehrman staff 96 Feb 25 21:05 maven-archiver
drwxr-xr-x 5 scott.fehrman staff 160 Feb 25 21:05 uma-proxy
-rw-r--r-- 1 scott.fehrman staff 10772167 Feb 25 21:05 uma-proxy.war
Copy the uma-proxy.war
file to the webapps
folder in the Tomcat server installation. The running Tomcat server will automatically unpack the war file.
cp ./target/uma-proxy.war TOMCAT_INSTALLATION/webapps
The deployed proxy service needs to be configured for the Authorization Server and Resource Server. Edit the proxy.properties
file:
cd TOMCAT_INSTALLATION/webapps/uma-proxy/WEB-INF/config
vi proxy.properties
You will need to verify / update these properties:
rs.connect.protocol http
rs.connect.host rs.example.com
rs.connect.port 8090
as.connect.protocol http
as.connect.host as.example.com
as.connect.port 8080
as.oauth2.client.id UMA-RqP
as.oauth2.client.secret password
as.oauth2.client.redirect http://rqp.example.com/requesting-party
Restart the Tomcat server
The deployed uma-proxy
service has a home page http://FQDN/uma-proxy
with curl examples. The examples cover the following UMA Proxy end-points:
Name | Method | URL |
---|---|---|
Shared with me | GET | https://FQDN/uma-proxy/rest/share/withme |
Discoverable | GET | https://FQDN/uma-proxy/rest/share/owners/__OWNER__/discover |
Get Resource | GET | https://FQDN/uma-proxy/rest/share/resources/__RESOURCEID__/?scopes=content |
Revoke my access | DELETE | https://FQDN/uma-proxy/rest/share/resources/__RESOURCEID__/policy |