Hi there @milan.milojic !
Thanks for the detailed description of the issue, very helpful!
Assuming you have roles w/ permissions assigned directly to a user AND are including the audience param (API identifier) for an API that has RBAC + “add permissions in the Access Token” enabled then the resulting access token should have a permissions claim with the relevant permissions added:
Access Token:
Roles themselves will need to be added as a custom claim to access tokens - I will note that it is common practice to infer roles from permissions so the extra step to add the actual roles as custom claims by way of a rule/action is not necessarily required.
Are you able to confirm you have RBAC as well as the option to add permissions to access tokens enabled for the API which you are using as your audience?
Keep us posted!