[keycloak-user] WildFly adapter - dynamically added roles missing in access token

Following the "Example User Storage Provider with EJB and JPA" I've created a custom user storage provider. In UserAdapter#getRoleMappings, I am returning the roles retrieved via JPA entity like this: @Override public Set<RoleModel> getRoleMappings() { final Set<RoleModel> roles = super.getRoleMappings(); for (final GroupBean group : groups) { roles.add(new RoleAdapter(this, String.valueOf(group.getObjectID()), group.getName())); } return roles; } RoleAdapter is my own (possibly incomplete!) implementation of RoleModel which I am using since I did not find a way to create an instance of i.e. org.keycloak.models.cache.infinispan.RoleAdapter so far. In the Admin Console, the dynamically added roles are listed as "Assigned Roles" for a particular user but not as "Effective Roles", maybe already that is a problem. When I request an access token for the user via the OIDC REST endpoint "/realms/{realm-name}/protocol/openid-connect/token" all roles are included in realm_access, roles. However, when I log in to a Webapp deployed to WildFly secured with the KEYCLOAK auth-method using the WildFly adapter and have a look at the token obtained from the RefreshableKeycloakSecurityContext in the servlet session, the dynamically added roles are not included in the access token. What could I be missing?