Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest release

Area

admin/fine-grained-permissions

Describe the bug

uma-ticket response changes depending on if the access_token has roles or not.

Trying to solve an issue where the JWT is getting too big to hold all of the roles. To solve that, I'm following this advice: https://keycloak.discourse.group/t/huge-jwt-token-size/17244/2 but it turns out it is not possible to get a success response from /realms/authorization_poc/protocol/openid-connect/token when requesting a uma-ticket if the access_token doesn't have roles on it.

Does this mean there is absolutely no way for a user to have many roles? as otherwise the JWT will get too big.
Seeing #9713 is not solved, are there no approaches possible using keycloak when the jwt gets too big?

Version

21.1.1

Expected behavior

User should be granted access to a resource via realms/authorization_poc/protocol/openid-connect/token if it has access to the resource, independent of if the access_token carries the roles claims on it or not.

Actual behavior

API returns access denied to a resource for a User that has access to the resource, if access token doesn't have roles in it.

How to Reproduce?

Follow https://medium.com/@harsh.manvar111/keycloak-authorization-service-rbac-1c3204a33a50. End up with a that user is allowed to access a resource, as shown by my test in postman to realms/authorization_poc/protocol/openid-connect/token:

Next step is to remove all of the role data from the access token, I'm just removing it from here:

BUT when I call the token endpoint once again with this new access token, I always get denied/rejected:

This is 100% reproducible.

Anything else?

No response