Hello!
I’d appreciate some help with figuring out how to implement resource access for my scenario:
-
Our users are ephemeral, i.e. we do not store any user information in keycloak, and users authenticate using a custom anonymous authentication which just creates a user for you and gives you a token.
-
Once the session and the cookie expires, the user cannot be recovered and will be eventually deleted.
-
Users can create protected resources through our application.
-
The resource server owns the resources.
-
The protected resource is associated with an external resource which contains some user personal information, e.g. email.
-
I want to be able to send the user a link with a token that enables it to access one specific resource using a new anonymous user that will be issued on login.
-
I do not want to recover the original user as the original user has access to all of the resources and I do not want this to happen.
I’ve been looking for options and I’ve found both RPT and Action tokens to be somewhat what I want.
While Action token feels a closer to what I need, I prefer RPT as it saves me from implementing additional custom modules.
I want to be able to issue a token for a user that hasn’t been created yet, and then send a link with this token to an email.
When the link is clicked, I’d like the user to land on my anonymous authenticator and then redirected to my application with the RPT (which I already know how to do).
Then I want to pickup the RPT, send it to keycloak, get keycloak to add the authenticated user to the uma permission with the defined scopes.
Or something like that…
I’m not sure though how resource sharing works when the resource owner is the resource server. I’m not even sure if this flow is supported natively.
Is this done solely through policies? e.g. a custom JS policy that captures an incoming token and introspects on it?
Any hints would be really helpful,
Thanks!