[Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet

[Lombardo, Jeff]

It is a real life use case and yes it can be bound a lot of constraints other than amount.

By the way it fits the API GW testing case where I check if you can POST on /loan with a body payload… before talking to the backend that could others checks.

Jean-François “Jeff” Lombardo | Amazon Web Services

Principal Solution Architect, Security Specialist - Montréal, Canada
Mobile: 514.778.5565

Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.

From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net> On Behalf Of David Hyland via Openid-specs-authzen
Sent: May 8, 2025 8:33 AM
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net>
Cc: David Hyland <Dave at mydigitalid.info>
Subject: RE: [EXT] [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque.


You do have a resource ID - it’s the product id. The amount may be a condition of the product type - determined by the product id. But I really don’t think it this would actually be a real life check as there would be a pile of other criteria including the customer, term and other loan optionality that would be customer based.

dh

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net<mailto:openid-specs-authzen-bounces at lists.openid.net>> on behalf of Allan via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>>
Sent: Thursday, May 8, 2025 2:13:34 PM
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>>
Cc: Allan <allan at macguru.com<mailto:allan at macguru.com>>
Subject: Re: [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet


well it does bring up the rather interesting case of create

 create doesn't have. resource ID

allan

--
Sent from Canary<https://canarymail.io>

On Thursday, May 08, 2025 at 12:58, Andres Aguiar via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:
Couldn't the resource be a higher level entity? e.g. the Region? the customer? the bank branch? If it's B2B, the organization?


On Thu, May 8, 2025 at 7:46 AM Andrew Clymer via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:

This message originated outside your organization.

________________________________


Sounds to me that resource Id shouldn't be mandatory, or that the resource Id is for the collection of loans. Passing a resource ID of 0 works, but that just feels like a magic value.

Andy
[cid:image001.png at 01DBC00B.917F1680]<https://urldefense.com/v3/__https:/registry.blockmarktech.com/certificates/53f9a3ba-4ba6-4879-8b4d-5f5d3a413118/__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jmzeCjzA$>

[cid:image002.png at 01DBC00B.917F1680]



​We are the first IdentityServer partner to become a Certified B Corporation™.
​Head to our mission <https://urldefense.com/v3/__https:/www.rocksolidknowledge.com/mission-statement__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jhI1Aj0A$> sta<https://urldefense.com/v3/__https:/www.rocksolidknowledge.com/mission-statement__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jhI1Aj0A$>tement<https://urldefense.com/v3/__https:/www.rocksolidknowledge.com/mission-statement__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7jhI1Aj0A$> to read more about the ways we’re using business as a force for good.
​
​Rock Solid Knowledge Ltd is a company registered in England and Wales under number 6811209.
Registered office: C2, Vantage Office Park, Old Gloucester Road, Bristol, BS16 1GW, United Kingdom
​Vat registered: GB948 1966 72






________________________________
From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net<mailto:openid-specs-authzen-bounces at lists.openid.net>> on behalf of Allan via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>>
Sent: 08 May 2025 11:40
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>>
Cc: Allan <allan at macguru.com<mailto:allan at macguru.com>>
Subject: Re: [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet

hmmm

surely customer is part of the resource?  and a create can simply use a resource ID of 0 or -1. or null

allan

--
Sent from Canary<https://urldefense.com/v3/__https:/canarymail.io__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7iALaQ4yQ$>

On Thursday, May 08, 2025 at 12:34, David Brossard via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:
Hi all,

Interesting use case from EIC: I want to write a policy that determines how a loan-to-be can be created.

Managers can create a loan for a customer in their region up to their max allowed amount for the employee (and/or customer).

The request would then be:

  *   Can Alice the employee create loan with amount 1234?
In this type of request, because the loan hasn't been created we do not have a  loan ID or resource ID. But, because AuthZEN makes the resource ID mandatory in the evaluation API, what approach do we want to recommend?

David
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen<https://urldefense.com/v3/__https:/lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!PwKahg!_oZpQyjahZpIjImVt2l6ty3_-UC8PNZSaGZmAWvERr278XS6PPKI2I3Gi8NZ16drBnWdfG3cu4SLh1nKc-3u8iaYU7gKBSldXg$>
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen
--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250508/879d0fc5/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 67887 bytes
Desc: image001.png
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250508/879d0fc5/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 31014 bytes
Desc: image002.png
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250508/879d0fc5/attachment-0003.png>