[keycloak-user] Authorization services without User Access token (Mqtt Broker / IoT)

Hi everyone, Lately i was playing with Keycloak (KC), evaluating it for an IoT project and i have a question regarding the authorization services. One of my use case is : devices that connect to an MQTT Broker using X.509 client authentication. Note : when i talk about device, you must understand KC user (device = user). For several reasons/constraints that i won't explain here, i can't have my devices connect first to Keycloak to obtain a token (using their X.509 certificates as KC supports it) and then connect to the MQTT Broker passing this token. They connect directly to the MQTT Broker, each device presenting its X.509 certificate to the Broker. After connection, the Broker doesn't know client private key. My need is to have my MQTT Broker (ideally through KC) authorize/reject MQTT client to publish/subscribe to specific topic. MQTT Topic being some kind of uri/path, i already have an idea of how to configure KC (client, resource, policy, permission ...) to authorize/reject these access. However, as i understand it, the starting point for all the « authorization services » (Authorization API, Entitlement API ... ) is a « user Access Token ». In my case, i don't have a user access token ... so i'm kind of stuck to use any of the K.C API (unless i missed something). Hence, My question is how can i make my MQTT Broker (.ie : resource server) interact with KC to enforce/evaluate policy ? Is it possible without the user access token ? Hope i made myself clear and thanks in advance for any help ... Best regards, Brahim