[keycloak-user] How to check permission when issuing token

Hi, Our customer has a requirement that they want to check whether the authenticated user has sufficient permission to access the service(RP) when issuing token. I came up with an idea using custom protocol mapper which checks the assigned roles as follows: https://gist.github.com/wadahiro/b777c49b61766c8f634981756aedffaa By using this mapper, token endpoint returns 403 Forbidden error if the authenticated user doesn't have sufficient role. Is this a good way? Or is there a better way to do it? Best Regards -- Hiroyuki Wada Nomura Research Institute, Ltd.