Roles not added to token

I’ve changed focus from setting a custom claim to setting app_metadata because I learned that my application is already looking in app_metadata.authorization.roles in the token to find roles.

My login action is like this:

exports.onExecutePostLogin = async (event, api) => {
  if (event.authorization) {
    var authorization = {"roles": event.authorization.roles}
    api.user.setAppMetadata(`authorization`, authorization);
  }
}

This does have the intended effect of populating app_metadata. Now I can at least be certain the action is functioning.

In my application (Caddy Security), I can see the OIDC id token and OAuth access token are received. The id token looks normal to me, but the access token has a null claimset.

There are no characters between the . separators, only the JWT header and signature are defined.