Based on the knowledge sources, Ory Network (using Ory Kratos for identity and Ory Keto for permissions) allows you to define custom identity schemas, including fields such as roles, using JSON Schema. You can add a roles field to your identity schema so that user identities include their roles as a trait. For example:

json {   "$schema": "<http://json-schema.org/draft-07/schema#>",   "type": "object",   "properties": {     "traits": {       "type": "object",       "properties": {         "roles": {           "type": "array",           "items": { "type": "string" }         }       }     }   } }

This will store the user's roles as part of their identity traits in Ory Kratos, and you can manage these roles as part of the user's profile data [Customize identity schemas](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema). However, regarding the inclusion of these roles (or any custom trait) in the access or ID token issued via Ory Hydra (OIDC/OAuth2), the knowledge sources indicate that by default, only core OIDC scopes (such as email) are mapped automatically. There is currently no built-in, flexible way to map arbitrary identity traits (like roles) directly into the ID/access token claims out of the box. For more advanced mapping (such as including roles), you would need to implement a custom consent UI or endpoint to handle this mapping yourself. This is a known limitation and has been discussed in the Ory community, with workarounds suggested but no direct configuration available yet for arbitrary trait-to-claim mapping in the default flow [Github Issue: Default Consent UI should be able to populate ID token from traits](https://github.com/ory/network/issues/261). Summary: - You can add roles to the identity schema and store them as traits. - Including these roles automatically in the access/ID token is not natively supported for arbitrary traits; a custom consent UI is required for advanced mapping. If you need roles in the token, you must implement a custom consent flow to map the roles trait into the token claims.