When retrieving roles from an OIDC access token, we currently only support retrieving roles from the "realm_access" and "resource_access" claims in the payload. Access tokens provided by the RH SSO OpenID provider contain these claims. However, access tokens provided by the Azure AD OpenID provider contain the roles in a "roles" claim instead.

We could automatically retrieve the roles from an access token when it contains a "roles" claim since this is a standard claim name that also seems to be used by at least one other OpenID provider. No configuration changes would be needed to do this.