[keycloak-user] Authorization: proof of ownership

Wed Nov 22 16:29:44 EST 2017

Thanks for the issues, they are very relevant.
So at the moment, I think I will encode this "claiming" mechanism in the
API server.

On Wed, Nov 22, 2017 at 7:42 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> I see. But so I far I was considering that when you create "MyHouse" you
> would already have the owner. In this case, you would just need to check
> resource.owner == identity.id.
>
> What you are looking for seems to be related with
> https://issues.jboss.org/browse/KEYCLOAK-4903 and
> https://issues.jboss.org/browse/KEYCLOAK-5346. Where the former is about
> a client pushing additional claims to the authorization request and the
> latter that should allow you to delegate the decision to an external
> resource or API (e.g.: some HTTP endpoint in your application).
>
> On Wed, Nov 22, 2017 at 3:46 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> In my use case, the user can "claim" resources. But to do that, he need
>> to prove that he is the rightful owner.
>>
>> In practice, the user possess objects called "sensor nodes". Those are
>> just little boxes with a tag on it.
>> The tag has a number that the user can transmit to prove that he is
>> owning physically the object.
>>
>> So my idea was to provide an endpoint able to change the owner of the
>> resource, based on the tag number.
>> Using our example, the endpoint to claim a resource could look like:
>>
>> curl -X PUT http://www.example.com/api/v1/houses/MyHouse/owner -d '{
>>    "owner": "smith"
>>    "proof": "XXXXXXX"
>> }'
>>
>> A policy would check that the proof is valid, by matching it against a
>> database.
>> If accepted, then the resource owner should be changed.
>>
>> Do you think this is a good protocol?
>> How to write the policy to authorize the owner change at Keycloak level?
>> I don't see how to transmit the proof number when performing the
>> authorization request (with the entitlement API).
>>
>>
>