[Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet
Julio Auto De Medeiros (BLOOMBERG/ 731 LEX)
jautodemedei at bloomberg.net
Thu May 8 18:59:17 UTC 2025
I'm not sure that 'create' is an action you can do *to* a resource, since the resource you're thinking of doesn't yet exist. But I can see how that's debatable, and a good thought exercise.
On my environment, folks would probably model it differently and the resource would be *the API that creates loans*, and the action 'invoke' or something. The API is obviously a thing that exists prior to the future loan, and that has some unique identifier. Then the policies and evaluations become things like 'can user A invoke the loan creation API with an amount greater than X?' ...
From: openid-specs-authzen at lists.openid.net At: 05/08/25 06:35:03 UTC-4:00To: openid-specs-authzen at lists.openid.net
Cc: david.brossard at gmail.com
Subject: [Openid-specs-authzen] A question on resource identifiers for resources that do not exist yet
Hi all,
Interesting use case from EIC: I want to write a policy that determines how a loan-to-be can be created.
Managers can create a loan for a customer in their region up to their max allowed amount for the employee (and/or customer).
The request would then be:
*Can Alice the employee create loan with amount 1234?In this type of request, because the loan hasn't been created we do not have a loan ID or resource ID. But, because AuthZEN makes the resource ID mandatory in the evaluation API, what approach do we want to recommend?
David --
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net
https://lists.openid.net/mailman/listinfo/openid-specs-authzen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250508/7df7c236/attachment.htm>
More information about the Openid-specs-authzen
mailing list