Assuming you have a realm with x client defined and each have a APP-USER role. Is there a way to authenticate a user only if the user have the role associated? ... 

Obviously I can check the check the access token, or place a proxy in-front which does that for me, but is there a native way of saying ask for this scope and if you don't have it you are denied

Best Regards ..