I have a Spring Boot-application with a public REST-API. The user authentication is handled by Keycloak. Users can use the API to submit jobs, which are then executed periodically as a Spring Batch. Some of these jobs require the user to be notified via eMail after completion.
The application currently does not store any user-related information, except the ID of the user, who submitted the job. My problem is now, that I need the eMail-address belonging to that User-ID to send the job-completion notification. The JWT passed to the API, which contains this information, can't be used at this time, since the job is executed asynchronous in the batch-context.
I came up with 2 possible solutions so far, which both have their own drawbacks in my opinion:
solution 1: extracting the required information from the JWT and persist them in the application's database for later use
drawbacks:
- the application should not be concerned with storing user-information; it also shouldn't duplicate data controlled by other applications
- the user might change its eMail-address in the primary user-database, without getting noticed by my application
solution 2: requesting user-details as needed by using Keycloak-APIs.
This looks theoretically like a good approach to me. The suggested solutions on SO utilize the Keycloak Admin-API (endpoint /auth/admin/realms/{realm}/users/{user-id}) to fetch user-details. This requires the application to be configured as a "confidential client" with own client-credentials and an enabled service account. What bothers me here: It appears a bit strange to me, that a regular application without any special privileges uses an Admin-API. Also, the users-endpoint is not restricted to users, which have previously given consent to access their data.
Is there a good way to solve this problem?
