If you cannot or don't want to configure Keycloak you can also implement a customOidcUserService which allows you to fetch authority information from a protected resource before the custom authorities for the user get mapped. See https://docs.spring.io/spring-security/reference/servlet/oauth2/login/advanced.html#oauth2login-advanced-map-authorities-oauth2userservice