Once we introduce a realm admin resource provider I was hoping it would sort out these issues. It's not a high priority for us at the moment though, especially not considering that in the future we want to remove the master realm as well as remove the whoAmI endpoint used by the admin client and instead make it use the token directly.