[keycloak-user] Restrict access to clients based on Group membership

Hi, In our Keycloak setup (ver 4.4.0) we have a master realm configured to authenticate users in a Windows AD. We heavily use SAML and OIDC and both work great. Is there a way to restrict access to a OIDC client based on a group membership ? I’ve been reading up the docs and trying to get this working without success. For example, let’s say we have 2 clients; client-dev-api client-prod-api Can I configure Keycloak to issue JWT token for client-dev-api to members of AD group “Developers” and client-prod-api to members AD group “Production” ? Any guidance on getting this to work would be appreciated. Thanks. --Prashant