Retrieving resources for a specfic application role with authorization services (UMA)

Hi all,
We are using fine grained authorization inside OIDC/OAuth clients defining resources, permissions and role based policies with UMA in Keycloak.

We have configured some examples defining application roles which ultimately grant access to different resources.

To obtain the permissions for a user, we make a authorization request to the token endpoint using the following params,

  • grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
  • response_mode=permissions
  • and the Access Token

Keycloak responds with a list of permissions the user has due to the assigned application roles, but we have not found a way to obtain permissions asigned to a user in an application for a specific role.

Let’s say,

  • The user has 2 roles assigned in an application, and each rol allows access to different resources.
    so,
  • If an user has both roles, the response of the token endpoint retrieves resources allowed by 1st role + 2nd role into te same JSON.

Our question is:
Is there any way to retrieve only the resources allowed by one role?

If anyone knows how to do this, it would be of great help for us…

Thank you.