Shouldn't the roles be added by a protocol mapper so it can be removed from the JWT if it's not needed? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160823/e59157c0/attachment.html