Authorization Extension: Persistence Missing After OAuth Token

I’m seeing strange behavior with the Authorization Extension’s Persistence feature between logins that happen via the Lock widget and logins that happen via a “Resource Owner Password” access_token request.

When a user logs in via the Lock widget, the app_metadata properly fills in with the authorization persistence settings ( groups, roles, permissions), but after a POST /oauth/token for that same user, only the groups authorization settings remain in the app_metadata. The roles and permissions values are emptied. Not until the user again logs in via the Lock widget do these values fill back in.

This was very much unexpected. Any ideas?