I would like to limit the functionality of the admin REST API to the calling user/application. 

The motivation is not to expose the "internals" of keycloak and put some logic between the calling app and admin REST API.

My idea was to create a simple web application deployed at keycloak server that belongs to the same realm as calling application and realm management application. 

Would you recommend that approach? Or is there anything more suitable (e.g.: implement it as a keycloak valve... etc.)?

Thank you for your opinions.

Best regards,

Bystrik