Missing realm roles in access token

I am trying to add realm roles as claims to the access token that is returned by Keycloak (21.0.2), but it seems that the realm roles are not being included in the JWT even though the users do have realm roles assigned to them.
Also, it does set the ‘client roles’, but just not the ‘realm roles’. I am wondering if this issue is caused by a bug that is still open (KEYCLOAK-9874), or if there might be something wrong with my implementation.

Any guidance or pointers would be appreciated.

What I tried:

  • modifying the default roles scope/mapper ‘Token Claim Name’
  • adding a new scope/mapper to add realm roles
  • made sure mapper details; Add to ID token, Add to access token, Add to userinfo are turned on
  • adding/removing different realm roles to the user

Resources considered:

It only worked for me when I enabled “Full scope allowed” on the client’s dedicated scope. That makes not only the realm roles show up, but the other clients’ roles as well.