Getting all Keycloak permissions across all clients

I have multiple clients set up, with resources, scopes and permissions on each one.

I’m retrieving the given permissions for a user, invoking the token endpoint (providing the access token) setting the audience claim to a single client. This lets me retrieve an RPT with permissions granted for the given user, on that specific client.

I’ve read about incremental permission retrieval, with again retrieving RPTs (this time, providing the existing RPT) from the token endpoint, defining the audience/client, but I’m wondering whether it’s possible to fetch an RPT with all the permissions, across all clients, straight away? Without having to invoke keycloak as many times as many clients I have.

If not, I’m thinking about extending the authorization services (API/Custom SPI) to do this for me.

Is this possible, and is it even encouraged?

Hey @eldarj,
I have a use case that also requires fetching all clients’ permissions. I see that a few months have passed so maybe you’ve figured out what is the best approach. Do you have any recommendations?