Current wildfly-elytron-http-oidc uses the configuration key "use-resource-role-mappings" to decide if resource roles should be added to principal entity here: https://github.com/wildfly-security/wildfly-elytron/blob/55b54b5b79472d3c3624f5c366373fd2606230fa/http/oidc/src/main/java/org/wildfly/security/http/oidc/OidcSecurityRealm.java#L106
Problem is that this configuration uses resource OR realm roles only. So this should be changed to map resources AND realm roles.
The key "use-resource-role-mappings" should be interpreted as "Use resource roles?", but it is actually interpreted as "Use resource roles rather than realm roles?", its ambiguous.
Also, there is no key to use both roles, so another option could be add more keys to users choices.
These behavior is inherited from Keycloak Adapter, but with Keycloak Adapter we can build a custom adapter, this will not be possible with Wildfly Elytron implementation.