Client applications can obtain an EAT from {project_name} like any other OAuth2 access token. Usually, client applications obtain EATs after the user is successfully
authenticated in {project_name}. By default the _authorization_code_ grant type is used to authenticate a user and issue an OAuth2 access token to the client application acting on the user's behalf.
The *kc_entitlement* scope can be created like any other _realm role_, or as a _client role_. Once created, grant this role to the users of your realm.