ForgeRock Demonstration Platform : UMA Client Proxy : A gateway and "REST proxy" for User-Managed Access (UMA) 2.0 Requesting Party Clients. The UMA Client Proxy provides a simplified interface to the UMA 2.0 Grant for OAuth 2.0 Authorization flow.

A typical UMA client flow has the following steps:

1. The Requesting Party (using the Client Application) makes a request to obtain the "resource", from the Resource Server. The Resource Server returns a Permission Ticket because of either a missing or invalid Requesting Party Token (RPT).
2. The Requesting Party needs to authenticate with the Authorization Server and obtain an OAuth authorization code.
3. The authorization code and the Client OAuth credentials are used to obtain a Claim Token from the Authorization Server.
4. Using the Permission Ticket and the Claim Token ... the Requesting Party Token (RPT) is obtained from the Authorization Server.
5. With a valid Requesting Party Token (RPT) ... the request for the "resource" is re-submitted to the Resource Server. The "resource" is returned.

Each UMA Requesting Party Client Application will need to implement all of these steps to support the UMA flow. The UMA Client Proxy simplifies Client Application development. A single REST call is made. The UMA Client Proxy can cache Requesting Party Tokens (RPT) for improved performance.

Direct Client flow	Proxy flow

git clone https://github.com/ForgeRock/frdp-uma-client-proxy.git

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

MIT

• Specification: User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization
• Specification: Federated Authorization for User-Managed Access (UMA) 2.0
• Documentation: ForgeRock Access Manager 7, User Managed Access (UMA) 2.0 Guide

This repository supports multiple sub-projects:

The following items must be installed:

1. Apache Maven (tested with 3.5.x, 3.6.x)
2. Java Development Kit 11
3. Apache Tomcat (tested with Tomcat 9.0.x)
4. ForgeRock Access Manager (tested with 7.0)
5. UMA Resource Server

The following items must be completed, in the following order:

1. frdp-framework ... clone / download then install using Maven (mvn)

Run Maven (mvn) processes to clean, compile and install the jar file:

cd gateway
mvn clean compile install

Packages are added to the user's home folder:

find ~/.m2/repository/com/forgerock/frdp/uma/client-gateway
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/maven-metadata-local.xml
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/1.2.0
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/1.2.0/client-gateway-1.2.0.jar
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/1.2.0/client-gateway-1.2.0.pom
/home/forgerock/.m2/repository/com/forgerock/frdp/uma/client-gateway/1.2.0/_remote.repositories

Use the TestGateway.java program to confirm the gateway is configured and operational. There must be a properly configured Authorization Server and Resource Server. Edit the target/classes/gateway.properties file to match the deployed servers. You will need to set the following properties:

• rs.connect.protocol http
• rs.connect.host rs.example.com
• rs.connect.port 8090

• as.connect.protocol http
• as.connect.host as.example.com
• as.connect.port 8080

• as.oauth2.client.id UMA-RqP
• as.oauth2.client.secret password
• as.oauth2.client.redirect http://rqp.example.com/requesting-party

Run the test.sh script which sets the Java classpath and runs the TestGateway program:

./test.sh 
Feb 26, 2021 11:02:24 AM com.forgerock.frdp.uma.client.CachingGateway$CacheCleaner <init>
INFO: com.forgerock.frdp.uma.client.CachingGateway$CacheCleaner created
...

Run Maven (mvn) processes to clean, compile and package the war file:

cd proxy
mvn clean compile package

The package process creates a deployable war file, in the current directory: ./target:

ls -la ./target
total 21040
drwxr-xr-x   6 scott.fehrman  staff       192 Feb 25 21:05 .
drwxr-xr-x  10 scott.fehrman  staff       320 Feb 25 21:05 ..
drwxr-xr-x   3 scott.fehrman  staff        96 Feb 25 21:05 classes
drwxr-xr-x   3 scott.fehrman  staff        96 Feb 25 21:05 maven-archiver
drwxr-xr-x   5 scott.fehrman  staff       160 Feb 25 21:05 uma-proxy
-rw-r--r--   1 scott.fehrman  staff  10772167 Feb 25 21:05 uma-proxy.war

Copy the uma-proxy.war file to the webapps folder in the Tomcat server installation. The running Tomcat server will automatically unpack the war file.

cp ./target/uma-proxy.war TOMCAT_INSTALLATION/webapps

The deployed proxy service needs to be configured for the Authorization Server and Resource Server. Edit the proxy.properties file:

cd TOMCAT_INSTALLATION/webapps/uma-proxy/WEB-INF/config
vi proxy.properties

You will need to verify / update these properties:

• rs.connect.protocol http
• rs.connect.host rs.example.com
• rs.connect.port 8090
• as.connect.protocol http
• as.connect.host as.example.com
• as.connect.port 8080
• as.oauth2.client.id UMA-RqP
• as.oauth2.client.secret password
• as.oauth2.client.redirect http://rqp.example.com/requesting-party

Restart the Tomcat server

The deployed uma-proxy service has a home page http://FQDN/uma-proxy with curl examples. The examples cover the following UMA Proxy end-points: