By: Blazej A. user 21 Jan 2019 at 5:17 a.m. CST

2 Responses
Blazej A. gravatar
Hello gluu team, We would like to setup a UMA Authorization Server for our Spring and JavaEE applications. From the docs I can see we can use the oxd-server as a middleware between our apps and gluu server. This seems okay, but we would rather go with standard UMA API to not lock ourselves with oxd-server/oxd-client API.. I have two questions: 1. If we decide to stick to oxd - Can we somehow integrate oxd-client library so that our code uses standard Spring and JavaEE APIs e.g. the "hasrole()" to check for a scope? So that our code does not rely on oxd specific API? 2. Do you know any UMA Java client libraries (other than oxd-server/client) which are verified to work with gluu server? Libraries which do not introduce another API layer? Thanks!

By Michael Schwartz staff 21 Jan 2019 at 5:36 a.m. CST

Michael Schwartz gravatar
1. Something like `hasRole()` would normally be implemented in an UMA RPT authentication script, not in the API requesting a token. 2. There are no UMA client libraries that I know of. The reason we use the oxd-server middleware approach is that we are able to publish a wider range of client libraries (java, python, php, ruby, c#, node, etc). However, with that said, implementing an UMA client is pretty trivial. You can just read [UMA-Grant](https://gluu.co/uma-grant) 3. If you are implementing an UMA RS, you may want to consider looking at the [Gluu Gateway](https://gluu.org/docs/gg).

By Blazej A. user 21 Jan 2019 at 6:46 a.m. CST

Blazej A. gravatar
Hi Michael, thanks for the quick response. I was thinking about the hasRole in the following context: what if I need some additional authorization during my business logic, which is not easy to do at the early stage of request processing at RS? Let's say we need to verify if the user can retrieve certain type of information.. How would I use UMA to make the decision at the UMA RPT, but ask about the decision in my application logic - 1. is it possible at all? 2. can I use some build in Spring/JavaEE mechanisms, or do I need to use the oxd-client? Thanks once again!