I have a situation. In a Symfony API Platform API, we receive an authentication token generated by an external SSO. With it, the user provider is able to find the connected user and his rights (roles), and we have managed his different accesses according to them. But we have been told, long story short, that we now need to add specific accesses to users requesting the API from another frontend app which has its own appId, which is present in the token. My first thought was to get it in the AccessTokenHandler which we use to decode the token, and pass it to the user.. but in the AccessTokenHandler, we don't have the user yet: we only generate a UserBadge for the firewall to handle. Unless we fetch it in the DB, and then persist it, eventually with a new role for the request.. which I find awful, having to handle this by persisting in the DB on each request doesn't seem the right way to do it as far as I'm concerned. We are thinking of storing the info in the session, but we don't like to make the API stateful..
Is there an appropriate way to do this? Do API Platform and Symfony already have a secret way to handle this? What would be the best practice in this situation?
Thanks