[keycloak-user] OAuth and achieving authorisation across apps - repost

[Repost] Hey all I feel compelled to ask another basic question of you, thanks in advance! Looking at the demos, in a basic OAuth2 scenario, the protected resource server (let's use the database-server within the demo-templates) is configured in keycloak.json as: { "realm" : "demo", "resource" : "database-service", "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url": "/auth", "bearer-only" : true, "ssl-required" : "external" } In the web.xml, the database-service is permitting only requests ('/*') to those clients that have been granted the 'user' role. In the design, this service is receiving bearer tokens only - so can I assume that the bearer token has the roles associated with the token encoded within the bearer token? (Plus the token is signed with the realm key) Or is there a back-channel conversation which I can't see in the configuration, maybe derived from 'auth-server-url'? Thank you for any thoughts! Regards, Simon