[keycloak-user] Question about RPT requests for all permissions on multiple clients

Hello, We're excited to be integrating Keycloak into our application suite, and I have some authorization questions I haven't been able to answer myself. We have an unusual Single Page Application (SPA) architecture where our web server and our "data" server are separate processes. Further, we don't own the web server source code. Consequently, the SPA code running in the browser will need to perform fine-grained permission enforcement on its own. I believe we can do this by sending the following type of request to get an RPT with all allowed permissions on the given resource server (I tested this and it works as expected): curl -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "client_id={web_client_id}" \ --data "audience={resource_server_client_id}" We would actually need to send two of these requests, one with the "web" resource server client ID, and the other with the "data" resource server client ID, because they would each own a set of resources that are accessed and whose permissions are enforced in the SPA. Is this the recommended way to approach this problem? Will this approach be supported in the long term (versus being deprecated for some reason related to the UMA 2.0 spec)? Finally, what is the limit on the length of or number of permissions in an RPT? Thank you, Dave