I am trying to setup Keycloak to do the authentication and authorization for requests from an third party processor. The processor recommends we define end-points per their documentation.
/accounts (would return all accounts for a username, I can obtain the username from the access_token and then query the database to return all accounts related to that username)
To explain what I am running into I am going to define some arbitrary responses for the end-points:
For username: userA the response includes accounts with accountId: accountA, accountB
It all works well this far.
The problem is with the authorization for the next end-point described below:
/accounts/{accountId}/info
So valid end-points for userA would be.
/accounts/accountA/info
/accounts/accountB/info
How do I validate userA is authorized to accountA and accountB ? I can call /accounts again and retrieve a list of authorized accounts and ensure accountA or accountB are in the list. I am hoping I do not have to call /accounts for every request to ensure the user is authorized. That is way too many queries after the user has already been authenticated.
I would also have to deny access to end-points like this one
/accounts/accountC/info
Any suggestions are welcome. Thank You in advance.