I see. But so I far I was considering that when you create "MyHouse" you
would already have the owner. In this case, you would just need to check
resource.owner == identity.id.
What you are looking for seems to be related with
https://issues.jboss.org/browse/KEYCLOAK-4903 and
https://issues.jboss.org/browse/KEYCLOAK-5346. Where the former is about a
client pushing additional claims to the authorization request and the
latter that should allow you to delegate the decision to an external
resource or API (e.g.: some HTTP endpoint in your application).
On Wed, Nov 22, 2017 at 3:46 PM, Corentin Dupont <corentin.dupont(a)gmail.com>
wrote:
In my use case, the user can "claim" resources. But to do
that, he need to
prove that he is the rightful owner.
In practice, the user possess objects called "sensor nodes". Those are
just little boxes with a tag on it.
The tag has a number that the user can transmit to prove that he is owning
physically the object.
So my idea was to provide an endpoint able to change the owner of the
resource, based on the tag number.
Using our example, the endpoint to claim a resource could look like:
curl -X PUT
http://www.example.com/api/v1/houses/MyHouse/owner -d '{
"owner": "smith"
"proof": "XXXXXXX"
}'
A policy would check that the proof is valid, by matching it against a
database.
If accepted, then the resource owner should be changed.
Do you think this is a good protocol?
How to write the policy to authorize the owner change at Keycloak level?
I don't see how to transmit the proof number when performing the
authorization request (with the entitlement API).