Dear all. Using KC 4.2.1, I get the following access token for a "Service Account User": { "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878", "exp": 1534251578, "nbf": 0, "iat": 1534251278, "iss": "https://xxx/auth/realms/NAK", "aud": "nak-portal", "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4", "typ": "Bearer", "azp": "nak-portal", "auth_time": 0, "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0", "name": "nak portal", "given_name": "nak", "family_name": "portal", "preferred_username": "service-account-nak-portal", "email": "service-account-nak-portal(a)placeholder.de", "email_verified": true, "acr": "1", "allowed-origins": [ "http://dummy:8008" ], "realm_access": { "roles": [ "source_system" ] }, "resource_access": { "realm-management": { "roles": [ "manage-users", "view-users", "query-clients", "query-groups", "query-users" ] } }, "scope": "email profile", "clientId": "nak-portal", "clientHost": "80.242.181.71", "clientAddress": "80.242.181.71", "client_id": "nak-portal", "username": "service-account-nak-portal", "active": true } Please note the five realm-management client roles. Problem is that for the given service account I have assigned many more roles, please see attached screenshot Why don't I see all effective roles (or assigned roles) in my access token? Interestingly enough I am also missing some of my realm roles. I have mapped 4 realm roles, but in the token I only have 1. Am I missing something? Thanks in advance, greetings Henning