How can we configure Keycloak as the Identity Provider (IdP) using Google, ensuring that logging in via the client is role-based? Currently, the login via the client works seamlessly, but the issue arises where users without the necessary roles can still log in. How can we enforce role-based access control to restrict login access only to users with specific roles? Could you provide a step-by-step guide for configuring Keycloak, including any necessary configurations within Google, to achieve this? Additionally, how can we ensure that only users with the appropriate roles granted by Keycloak are able to authenticate and access resources within the client application?