Differentiation Authorization Services and UMA

I try to understand the Authorization Services.

The Documentation for that rarely use the Term UMA. But in my understanding, the protocol used is normal UMA - is it? Is there a reason the documentation doesn’t say something like this:

The Keycloak Authorization Services build the UMA-Standart on top of the Authentication-Services and provide access controll to specific ressources.

Thanks ahead for an answer!

There is something like that here in the “Authorization Services” documentation:

The Protection API is a set of UMA-compliant endpoint-providing operations for resource servers to help them manage their resources, scopes, permissions, and policies associated with them. Only resource servers are allowed to access this API, which also requires a uma_protection scope.

What do you think should be added in order to make it clearer?

Thanks for the quick response!

Yeah, I read that! But this reads like UMA is just the Protection API and the rest of the authorization services have nothing to do with UMA - in my current understanding all communication with the authorization part (except the Admin UI) is all UMA. (Is that correct?)

For me, it would have helped me a lot if I would have researched UMA before trying to understand the Authorization Services. Also just saying that this authorization information can’t be included in OIDC access/id token or the user endpoint - that the authorization services are a different protocol on top of the other would have been helpful!

Am I on the right track?

Thanks again!

Correct. Yes, you are on the right track. I agree that the documentation is somewhat thin in this case.

1 Like

Thank you very much!! Very helpful!