docs(backend): keycloak permissions authorization via UMA

docs/cross-cutting-concepts/security.md

@@ -52,18 +52,19 @@ During this mapping the roles are prefixed with `ROLE_`, which Spring Security e
 
 #### Keycloak permissions
 
-::: warning Custom Plugin
-Currently this implementation relies on a custom Keycloak plugin which maps the Keycloak authorization permission into the
-`authorities` claim of the user info endpoint. Also, the plugin needs to be activated per client by adding a mapper.
-
-_The plugin will be made available as open source code in the near future._
+::: warning Keycloak specific
+This implementation relies on the UMA protocol which is not part of oAuth 2.0 or OpenID connect and not supported by all
+identity providers. Because of that this feature is coupled to using Keycloak or some other supporting identity provider.
 :::
 
-This implementation (`UserInfoAuthoritiesConverter.java`) uses permissions for authorization and retrieves them from the `authorities` claim exposed by the user-info endpoint.
+This implementation (`KeycloakPermissionsAuthoritiesConverter.java`) uses permissions for authorization and retrieves them
+from the OpenID token endpoint via the UMA protocol and grant-type `urn:ietf:params:oauth:grant-type:uma-ticket`.
 The resolved permissions are cached (default 1 minute).
 
+See [according Keycloak documentation](https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions) for more information.
+
 ::: info
-Because roles are the default in the templates, permission-based authorization must be explicitly enabled via the `userinfo-authorities` Spring profile.
+Because roles are the default in the templates, permission-based authorization must be explicitly enabled via the `keycloak-permissions` Spring profile.
 :::
 
 ### User attributes