In oauth, a client can ask for a token so it can act on behalf of another user. In Keycloak, clients will have the concept of a "scope". The scope is the set of roles the client is allowed to ask for when it acts on behalf of the user. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com