Too much information in bearer token

We have an application using RBAC style authorization with keycloak. We have composite roles set up with individual permissions as roles - and some of the composite roles have up to ~80 individual roles/permissions.

There appears to be a certain point at which the keycloak server no longer accepts the token as valid and instead of responding normally to requests, the requests get a result of net::ERR_CONNECTION_RESET. I have traced this to the point of adding or removing one character from a user attribute will cause the server to respond or give an error.

I can, however, still start a session normally and receive my token from the server. Only subsequent API calls are affected…

I have increased the maximum header size for both our application and the server running keycloak to be unrealistically large and have experienced no change in behavior - so I am left wondering if there is a hard limitation of keycloak or perhaps we have some sort of design issue.

Does anyone have any suggestions on new avenues of exploration as to what is happening with our calls to the keycloak server or any design recommendations for implementing RBAC style authorization that may shed light on this issue?