User-Managed Access Protocol
User-Managed Access (UMA) is a lightweight access control protocol that defines a centralized workflow to allow an entity (user or corporation) to manage access to their resources.
To learn more about UMA, please read the specification.
Configuration
Support is enabled by including the following dependency in the WAR overlay:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-oauth-uma</artifactId>
<version>${cas.version}</version>
</dependency>
To see the relevant list of CAS properties for this feature, please review this guide.
Resources Storage
Resource definitions are by default kept inside an in-memory repository. CAS also provides an alternative implementation backed by the relational database of choice to track and manage such definitions. The repository choice is activated in CAS properties.
Endpoints
Requesting Party Token
Issue a GET
request to /oauth2.0/umaJwks
to retrieve signing public keys.
Policies
Create
Issue a POST
request to /oauth2.0/${resourceId}/policy
with the payload body as:
1
2
3
4
5
6
7
8
9
{
"permissions": [{
"subject": "casuser",
"scopes": ["read","write"],
"claims": {
"givenName": "CAS"
}
}]
}
Delete
Issue a DELETE
request as /oauth2.0/${resourceId}/policy/${policyId}
Update
Issue a PUT
request as /oauth2.0/${resourceId}/policy/${policyId}
with the payload body as one matching the POST
method.
Find
- Issue a
GET
request as/oauth2.0/${resourceId}/policy/
to fetch all policy definitions for a resource. - Issue a
GET
request as/oauth2.0/${resourceId}/policy/${policyId}
to fetch a specific policy definition for a resource.
Resources
Resource-related operations are handled at endpoint /oauth2.0/resourceSet
.
Create
The expected POST
payload body is:
1
2
3
4
5
6
7
{
"uri": "...",
"type": "...",
"name": "...",
"icon_uri": "...",
"resource_scopes": ["read","write"]
}
Delete
Issue a DELETE
request as ${resourceSetEndpoint}/${resourceId}
Update
Issue a PUT
request as ${resourceSetEndpoint}/${resourceId}
with the payload body as one matching the POST
method.
Find
- Issue a
GET
request as${resourceSetEndpoint}/${resourceId}
to fetch a specific resource definition. - Issue a
GET
request as${resourceSetEndpoint}
to fetch all resource definitions.
Permission Tickets
Issue a POST
request to /oauth2.0/permission
with the payload body as:
1
2
3
4
5
{
"claims": {"givenName":"CAS"},
"resource_id": 100,
"resource_scopes": ["read"]
}
Claims Collection
Issue a GET
request to /oauth2.0/rqpClaims
with the following query parameters:
client_id
redirect_uri
ticket
state
(Optional)
Discovery
UMA discovery is available via GET
at /oauth2.0/.well-known/uma-configuration
.
Authorization
Issue a POST
request to /oauth2.0/rptAuthzRequest
with the payload body as:
1
2
3
4
5
6
7
{
"ticket": "...",
"rpt": "...",
"grant_type":"urn:ietf:params:oauth:grant-type:uma-ticket",
"claim_token": "...",
"claim_token_format": "..."
}