However, I’m still stlightly confused, the custom claim documentation says that roles is a restricted claim, but I wonder, is there any way to use it for displaying roles? I didn’t get it to work with the claim roles, only https://example.com/roles, although, after rereading the documentation, maybe the problem was not the namespace but the restriction of the claim roles. But anyway, what are the restrictions for the claim roles and is it possible to work within them?
roles is indeed a restricted claim, and cannot be used directly as a claim to add roles in token(s) as you’ve seen.
The restriction is on the use of the string roles as a custom claim itself - You can either use a custom namespace as you’ve demonstrated OR something like userRoles would also work. This is just in an effort to avoid any potential collisions while adhering to OIDC/OAuth protocols.
Thanks a lot for the answer! Yes, it makes sense, but I wonder, does that meaan that the roles claim will always be undefined? Or is it possible to activate it somehow, not as a custom claim, but as the claim it is reserved for?
Even if you attempt to add roles as a custom claim it will just be ignored altogether, so it is more or less just off limits. I will note that it is common practice to infer roles from permissions so the extra step to add the actual roles as custom claims by way of a rule/action is not necessarily required.