Thanks for the issues, they are very relevant.
So at the moment, I think I will encode this "claiming" mechanism in the
API server.
On Wed, Nov 22, 2017 at 7:42 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
I see. But so I far I was considering that when you create
"MyHouse" you
would already have the owner. In this case, you would just need to check
resource.owner == identity.id.
What you are looking for seems to be related with
https://issues.jboss.org/browse/KEYCLOAK-4903 and
https://issues.jboss.org/browse/KEYCLOAK-5346. Where the former is about
a client pushing additional claims to the authorization request and the
latter that should allow you to delegate the decision to an external
resource or API (e.g.: some HTTP endpoint in your application).
On Wed, Nov 22, 2017 at 3:46 PM, Corentin Dupont <
corentin.dupont(a)gmail.com> wrote:
> In my use case, the user can "claim" resources. But to do that, he need
> to prove that he is the rightful owner.
>
> In practice, the user possess objects called "sensor nodes". Those are
> just little boxes with a tag on it.
> The tag has a number that the user can transmit to prove that he is
> owning physically the object.
>
> So my idea was to provide an endpoint able to change the owner of the
> resource, based on the tag number.
> Using our example, the endpoint to claim a resource could look like:
>
> curl -X PUT
http://www.example.com/api/v1/houses/MyHouse/owner -d '{
> "owner": "smith"
> "proof": "XXXXXXX"
> }'
>
> A policy would check that the proof is valid, by matching it against a
> database.
> If accepted, then the resource owner should be changed.
>
> Do you think this is a good protocol?
> How to write the policy to authorize the owner change at Keycloak level?
> I don't see how to transmit the proof number when performing the
> authorization request (with the entitlement API).
>
>