The proper solution is to remove the whoAmI endpoint, which will make sure the admin console uses tokens directly which will eliminate any issues like this in the future.

That comes with one caveat, which is updating roles when a new realm is created (or a realm is renamed). There's a simply solution to that though, which is simply redirect to the login screen to get a new token. In the future we're planning to remove the master realm completely as well. It also applies to using admin endpoints obviously. So anyone adding a new realm would need to get a new token to access the new realm. That's not a frequent operation though so shouldn't be a big inconvenience.

I've got this all working and it didn't take long to implement, but just wanted to give everyone a heads up before I merge it.