Would it be an idea to have a field on a client to specify a required role
that users have to have to be permitted to authenticate to the client?
We could add support for this directly in the login flows. If the user has
the required role redirect to the app, but if the user doesn't display an
error page stating you don't have access.