feat: Support PAT using client credentials #73

joachimvh · 2025-12-15T13:41:14Z

Updates the UMA server to use PAT as identification method for the RS.

The following process should be followed:

RO registers RS on AS. This is doing following the OIDC dynamic client registration format. The RO should identify themselves using the authorization header, the same as for the policy API (OIDC tokens and raw WebID are supported).
The AS returns the id/secret combination.
The RO sends these to the RS. The implementation here makes use of the CSS account system: specific account parameters need to be updated to trigger the changes.
The RS uses these credentials to request a PAT from the AS, using the token endpoint.
The returned token needs to be used when performing a protected operation (registering a resource/requesting a ticket/introspection).

joachimvh requested a review from termontwouter December 15, 2025 13:41

joachimvh force-pushed the feat/pat branch from 5e43440 to d66599d Compare January 7, 2026 12:31

joachimvh force-pushed the feat/literal-identifiers branch from fc988f6 to 1c9cac1 Compare January 7, 2026 13:02

Base automatically changed from feat/literal-identifiers to main January 7, 2026 13:06

feat: Support PAT using client credentials

05da878

joachimvh force-pushed the feat/pat branch from d66599d to 05da878 Compare January 7, 2026 13:07

joachimvh merged commit 3fc83f4 into main Jan 7, 2026
6 checks passed

joachimvh deleted the feat/pat branch January 7, 2026 13:12

Provide feedback