Extending IG 5.x as a complete UMA-RS

Author:

Charan Mann

Created at:

Sep 2017

Updated at:

Dec 2022

Both AM and IG support UMA 1.0.1 where AM acts as UMA Authorization Server (AS) and IG as UMA Resource Server (RS).

Currently there are some limitations in UMA support in IG, one of the most important is: PAT is stored in IG memory and is not persisted and if IG is restarted then the resource owner must perform the entire share process again.

Note: This post is based on UMA 1.0.1 (Support for UMA 1.0 and UMA 1.0.1 will be removed in a future version of ForgeRock Access Management)

Solution

Versions used for this implementation: IG 5, AM 5.1 and DS 5

We can overcome some of these limitations by extending IG-UMA filter:

image

Some of the features of this extension:

  • Realm support

  • Extend IG-UMA REST endpoint: Authentication using PAT

  • User friendly UMA Resource name

  • Persisting UMA ResourceSet id and PAT in DS/OpenDJ:

image

UMA Flows

  • Alice share UMA resource
    image

Deploy

Testing

See Also

Get code