I've been trying to test application roles on the database-service example. I added "use-resource-role-mappings" property and enabled DirectAccessGrant to manually get a token. I also assigned the database-service:'user' role to bburke user and removed the realm-level 'user' role.When trying to access the /customers (as bburke) i keep getting a 403.

Btw, i've checked the token and it looks perfectly normal. 'user' role is there as an application level role.