Policy enforcer without roles in token

Hi guys,
we’re experiencing issues about JWT access_token size and we were planning to remove the “roles” claim as a default, so to remove the claim from the access_token. Once we do that, the KC adapter / policy enforcer returns a 403. So at this point, does the access_token must have the roles inside it? Or it’s another problem which is giving us the 403?

Keeping it up since could be useful also for the others developers…

Don’t exactly know the use case here but if you are using the Spring adapter, you will want to set use-resource-role-mappings to false so it doesn’t look in the token for roles.