2.5.1.3.1 Get Access Token

Goal

Get the access token for the identity of the requestor.

Context of Use

The identity of the application client associated with a specific user needs to access resources on the application server, and the application server needs to access a token to call access-check-related authorization use cases.

Actors

Application server: The application server is the service or process running on the server computer under the security context of the identity of the application server.

LSA policy database: A database that contains local system security policy settings such as user rights and other security-related rights.

SAM database: A database that contains local users and security groups.

Stakeholders

The primary interest of the identity of the application client is to access resources on the application server.

Preconditions

  • The identity of the application client has been authenticated by the Authentication Services subsystem (see [MS-AUTHSOD]).

  • The application server has the authorization information from the (PAC) of the requested application client's identity.

  • User rights are configured in the LSA policy database, and local groups are configured in the SAM database.

Main success scenario

  1. Trigger: The prerequisite for the application server to get the access token for the authorization process.

  2. The application server submits the requested identity authorization information to the authorization system.

  3. The authorization system builds the access token from the user rights in the LSA policy database and from the local security groups from the SAM database, and returns to the application server.

Postcondition

The application server process gets the access token for the requested identity and proceeds to the next steps of the authorization process.