Shouldn't the roles be added by a protocol mapper so it can be removed from the JWT if it's not needed?