I have a tenancy with several applications and was considering using Roles in our solution. The core role functionality does not have the ability to assign a role to an application (authorization extension does). I have prefixed the roles with an application prefix in an effort to perform this assignment (for example I have several admin roles which map to application roles in applications). My problem is now when I login to a specific application all the roles are included in the token not just those intended for the application I am logging into. Is this how roles are intended to be used or am I going down the wrong path?