Enforcing policy-based authorization for Clients that DO NOT perform RPT authorization requests

We are using Keycloak 4.3.0 to successfully performing role-based User Authentication.

Using our Keycloak IdP, we also enforce policy-based authorization access to company resources. This means that most of our OpenID Connect clients perform authorization requests and obtain an RPT with all user permissions to allow Keycloak a mechanism for granting / denying access beyond the user entering their password correctly.

Unfortunately, we have a OpenID Connect client, Open Distro for Elasticsearch v1.4.0, that has not implemented the mandatory grant_type “urn:ietf:params:oauth:grant-type:uma-ticket” operation AFTER it successfully authenticates using the JWT.

I have no control of When or IF Open Distro will implement this feature…
But OD does require that I add to the Keycloak Client configuration, a User Realm Role Token mapper


So my question is whether there is some way I can influence (a) the return of the JWT token or (b) the Roles in the token, based on the positive/negative decision strategy under Clients -> Authorization -> Permissions?

Advice Anyone?

No response from anyone?