In my use case, the user can "claim" resources. But to do that, he need to
prove that he is the rightful owner.
In practice, the user possess objects called "sensor nodes". Those are just
little boxes with a tag on it.
The tag has a number that the user can transmit to prove that he is owning
physically the object.
So my idea was to provide an endpoint able to change the owner of the
resource, based on the tag number.
Using our example, the endpoint to claim a resource could look like:
curl -X PUT
http://www.example.com/api/v1/houses/MyHouse/owner -d '{
"owner": "smith"
"proof": "XXXXXXX"
}'
A policy would check that the proof is valid, by matching it against a
database.
If accepted, then the resource owner should be changed.
Do you think this is a good protocol?
How to write the policy to authorize the owner change at Keycloak level?
I don't see how to transmit the proof number when performing the
authorization request (with the entitlement API).