1. Something like `hasRole()` would normally be implemented in an UMA RPT authentication script, not in the API requesting a token.
2. There are no UMA client libraries that I know of. The reason we use the oxd-server middleware approach is that we are able to publish a wider range of client libraries (java, python, php, ruby, c#, node, etc). However, with that said, implementing an UMA client is pretty trivial. You can just read [UMA-Grant](https://gluu.co/uma-grant)
3. If you are implementing an UMA RS, you may want to consider looking at the [Gluu Gateway](https://gluu.org/docs/gg).