Currently the configuration in ups-realm.json currently doesn't allow so called "direct grant access" (I hope I got the name right).

This is a blocker for calling REST APIs from other applications, e.g. your business application communicating with UPS via standard REST means without UI support.

In similar manner, keycloak also doesn't allow to change the password using a REST API which enforces the need to log to UPS via UI for the first time.