I was thinking that keycloak-authz.js adapter can provide some utility, which will provide refreshing of RPT tokens (in case they are expired) and also exchanging UMA tickets, which were returned from resource-server for new RPT.
For example adapter can have some utility like "rptProvider", which will do something like this (it will be better to have proper state diagram, but hopefully you won't be lost in those conditions. Imagine that from the point 1, you can go to 1.1 or 1.2):
1) check if there is existing RPT stored. If yes, it will:
1.1) Check if existing RPT is expired. If yes, it will:
1.1.1) try to refresh RPT. If refresh success, then adapter will store refreshed RPT and go to (1.2)
1.1.2) If refresh fails, adapter will delete the existing RPT and go to step 2
1.2) If existing RPT is not expired, adapter will just call that particular "onSuccess" callback method with the RPT
2) If there is no RPT, adapter will use it's accessToken to call authorization API
2.1) If calling authorization API fails, there should be "onAuthzError" callback called with the error message sent to it as argument (For example "request_submitted", so that caller is aware that request was saved on KC side to be approved by the resource owner)
2.2) If calling authorization API succeeds, we will store RPT and go to (1.2)
— The "onSuccess" callback will usually invoke the REST service with RPT, but service can return UMA ticket in case that RPT is missing some permissions. In that case, it should call some builtin function provided by the authz client, which will:
3) Try to "parse" the UMA ticket from the response.
3.1) If it's not there, we need to call some "onOtherError" callback method
3.2) If it's there, we will use that UMA ticket to call authorization API - hence go again to step 2
Some pseudo-code how the usage of it can look like: