My application, for now, have 2 types of users
Admin has full access. The
User enters my website from an outside website by a link.
for example http://www.exmple.com?resourceId=123
Then, I redirect to keylock for authentication (LDAP or Custom OpenId provider).
I want to enforce that the user can only make requests for that specific id for the entire session.
If he wants to change is resource ID he will need to return to the external system for a new link.
This means that he will only see things related to id 123.
I want to prevent cases when he changes the id and uses the same token
How is that can be done?