For on-behalf-of tokens its important that the roles in the token refer to the mapped roles of the user which corresponds to the same mappedRoles in the PrivilegesEvaluator here. The mapped roles are ultimately what is used to evaluate privileges and in order to accurately compute the mapped roles the IP Address of the caller is required which would only be available in the node that receives the REST Request and issues an on-behalf-of token.

For the Create Token endpoint the handler for the endpoint should likewise call mapRoles so that it has access to the correct caller's information when computing the mapped roles to embed in the token.

As we were scoping out work for extensions we identified that many plugins rely on backend roles and one way of communicating backend roles to an extension is through a claim in the token. While it may not be necessarily required to have backend_roles as a claim in an on-behalf-of token, if they are to be used for extensions then that is the chosen mechanism for communicating that data to an extension.

The NoopAuthenticationBackend and AuthCredentials classes also need to be updated to support Security Roles (not only Backend Roles.