Configuring the UMA Actors

To allow UMA flows in your environment, you must configure the different UMA actors first. You may be familiar with some already, like the OAuth 2.0 provider and the OAuth 2.0 clients.

Even though the UMA provider is one of the actors, the role in AM is split between the OAuth2 Provider Service and the UMA provider Service, as you will see next.


To set up AM as an example UMA provider, resource server, and client, see The UMA Guide Example instead.

The OAuth 2.0/OpenID Connect Provider

As an extension of the OAuth 2.0 and OpenID Connect specifications, the AM authorization server is in charge of providing protection API access tokens, requesting party access tokens, and ID tokens to the UMA clients.

To configure the OAuth 2.0/OpenID Connect provider, see:

The UMA Provider

Configure the UMA provider by realm to expose UMA-related endpoints, and to configure UMA-related properties that are not exposed in the OAuth 2.0 provider.

The service's defaults are suitable for most situations and strike a good balance between security and ease of use.

Perform the steps in the following procedure to configure the service:

  • In the AM console, go to Realms > Top Level Realm > Services, and add an UMA Provider service.

    The UMA Provider page appears.

    For information about the available attributes, see the "UMA Provider".

The Resource Server

You need a server to let the end user register their resources and share them. The resource server can be an AM instance, a third-party service, or Identity Gateway

Regardless of where the resource server is, it needs an UMA client registered in the AM instance configured as the UMA provider.

UMA Clients

Configure OAuth 2.0 clients to work as a resource server agent, a requesting party, and a resource owner.

Special Scopes

  • The uma_protection Scope.

    Clients requiring a protection API access token (PAT) must be configured with the uma_protection scope. This scope tells AM that the token is a PAT, and not a regular access token.

  • The openid Scope.

    Clients performing the UMA grant require the openid scope, since AM will provide the claims that UMA requires inside an ID token.

For more information about registering clients, see see Client Registration.

Read a different version of :