This is the current version.
Quick intro
The PCA™ Identity and Access Manager supports two patterns when it applies the access control.
- User-based authorisation.
- In this model ClientSystems invoke PCA™ API operations from within authenticated PCA™ user sessions.
- Access tokens are granted via the OAuth 2.0 authorization code grant type.
- The PCA™ Identity and Access Manager sets the scope of the access tokens that it issues according to the Authorisations of the PCAUser who is currently logged into the ClientSystem
- ClientSystems that support user-based authorisation may be operated by the PCA™ Operator (e.g. the PCA™ Portal), a participating organisation, or another organisation
- System-based authorisation.
- In this model ClientSystems invoke PCA™ API operations independently of any user sessions – i.e. via “back-end” integration.
- Access tokens are granted via the OAuth 2.0 client credentials code grant type.
- The PCA™ Identity and Access Manager sets the scope of the access tokens that is issued according to the Authorisations of the ClientSystem
A single ClientSystem may be capable of using user-based authorisation or system-based authorisation – i.e. a ClientSystem may request access tokens either using the OAuth 2.0 "authorization_code" grant type or the OAuth 2.0 "client_credentials" grant type.
It is worth noting that a ClientSystem instance must use either user-based authorisation or system-based authorisation.
Regardless of what mode of authorisation it uses, a software component that accesses the PCA™ API must be registered as a client of the PCA™ Identity and Access Manager ClientSystem registration is described in section Client registration.
