Hi @kris.macgillivray ,
ID Tokens should never be used to obtain direct access to APIs or to make authorization decisions. Therefore I would recommend putting the role information into your Access Tokens.
Any actual decisions made with respect to a user’s roles should be done from the information in the Access Token. Think of an ID token as a cache for the user’s profile, useful for populating a UI with their name etc, but not to be used for any authorization purposes.