== Defining uma_authorization and kc_entitlement scopes In order to allow client applications to obtain authorization tokens from the server, you need to create two roles: * *uma_authorization* + This role grants access to client application to ask the server for authorization tokens. * *kc_entitlement* + This role grants access to client application to ask the server for entitlements. Once they are created for a client application, you must associate these roles with your users. These steps are necessary to tell Keycloak that the client application is allowed to obtain authorization data on behalf of your users.