Closed ttschampel closed 2 weeks ago
If the email is unknown to a keycloak instance, shouldn't we do a lookup to another identity service that does know?
Unknown entities should not be giving equivalent entitlements as known entities.
Agreed @pflynn-virtru , but this is up to the customer's ERS implementation.
In most cases all entities should be validated as known and the ERS implementation + IDP will have federation support and/or consumers can customize entitlement rego.
this ticket is just for the sample Keycloak ERS to support this feature in a deployment that does not have this rich federation/IDP mapping in place. Also, this feature can be disabled if not wanted.
here is a bug caused by this issue: https://github.com/opentdf/platform/issues/1036
Fixed by #1113
There are valid user flows where an entitlement request can be made where the user has not been seen by the ERS backed IDP (in case of IDP mapping like LDAP+Sync) or is a member of a third party organization.
A concrete use case would be an entity by email address.
The logic involving how unmatched entities are handled should be a function with in the ERS; as opposed to the core authorization service.
Support for this in the sample Keycloak ERS:
Add configuration to Keycloak ERS to support something to describe unknown entity support yes/no and what entity types: e.g.
Given this configuration Keycloak ERS would echo back the entity representation to the caller in the case of no match (for entity type = email). This enables downstream subject mappings to still inform entitlements for these unknown users.