[keycloak-user] Authorization: proof of ownership

Pedro Igor Silva psilva at redhat.com
Wed Nov 22 13:42:44 EST 2017


I see. But so I far I was considering that when you create "MyHouse" you
would already have the owner. In this case, you would just need to check
resource.owner == identity.id.

What you are looking for seems to be related with
https://issues.jboss.org/browse/KEYCLOAK-4903 and
https://issues.jboss.org/browse/KEYCLOAK-5346. Where the former is about a
client pushing additional claims to the authorization request and the
latter that should allow you to delegate the decision to an external
resource or API (e.g.: some HTTP endpoint in your application).

On Wed, Nov 22, 2017 at 3:46 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> In my use case, the user can "claim" resources. But to do that, he need to
> prove that he is the rightful owner.
>
> In practice, the user possess objects called "sensor nodes". Those are
> just little boxes with a tag on it.
> The tag has a number that the user can transmit to prove that he is owning
> physically the object.
>
> So my idea was to provide an endpoint able to change the owner of the
> resource, based on the tag number.
> Using our example, the endpoint to claim a resource could look like:
>
> curl -X PUT http://www.example.com/api/v1/houses/MyHouse/owner -d '{
>    "owner": "smith"
>    "proof": "XXXXXXX"
> }'
>
> A policy would check that the proof is valid, by matching it against a
> database.
> If accepted, then the resource owner should be changed.
>
> Do you think this is a good protocol?
> How to write the policy to authorize the owner change at Keycloak level?
> I don't see how to transmit the proof number when performing the
> authorization request (with the entitlement API).
>
>


More information about the keycloak-user mailing list