chnliyong commented on issue #1188: feature: Support for OAuth User Managed Access Protocol(UMA) for Authorization URL: https://github.com/apache/incubator-apisix/issues/1188#issuecomment-595070533 Hi @sshniro , As I'm a little bit familiar with **Keycloak**, I've read the Keycloak [uma document](https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_user_managed_access) and [uma 2.0](https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-09.html#abstract-flow-fig). Currently I'm not very clear about what **APISIX** should do in this flow? Is below description right for your scenario? 1. we access the resource provided by *Resource Server* through *APISIX*, and the response from the *Resource Server* is `401 Unauthorized` with `as_uri` and `ticket` 2. *APISIX* redirect to *Keycloak* then let the user interact(Authenticate) with *Keycloak* to get `access_token` 3. *APISIX* use the `as_uri`, `ticket`, `access_token` got at previous 2 steps to request *Keycloak* to get the **uma ticket**. If above is your scenario, how the *uma ticket* would stored? Do we store it in cookie? Do you have any suggestion? And if you know some similar products supporting this, let me know. Thanks!
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
