[keycloak-user] Realm roles

We are trying to use keycloak auth on a Spring Boot app as demonstrated on this page: https://developers.redhat.com/blog/2017/05/25/easily-secure- your-spring-boot-applications-with-keycloak/ Everything works fine as long as I use client roles. However, our user base is in Active Directory. We have successfully created a role mapper for the realm to convert AD groups to realm roles. However, we can't get the above example to work with realm roles. We intend to use the realm roles across several clients so we don't want to map them to each client config individually. This documentation: http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/ java/java-adapter-config.html claims that the property use-resource-role-mappings controls whether client or realm roles are used. However, whether that property is set to true or false we are only seeing client resource roles work in the demo app. We are using Keycloak 3.2.1.Final and setting the property in Spring as keycloak.use-client-role-mappings = false. I'm especially frustrated because the docs say it defaults to realm roles if the property is not present and we're not seeing that behavior either. Are we doing something wrong? What are we missing? Maybe a bug? Thanks, Jeff