This issue is about the behavior of Openid-connect external role to role identity provider mapper.
If the external role is present in external token when importing user, then the role is mapped to this user (in importNewUser).
For later login, the role may be unmapped if the external token does not contain external role anymore (in updateBrokeredUser).
I wonder why the role is not mapped too when already imported user (that was imported without that role) gains that external role.
In my opinion, it make more sense.
I found an old issue that report this behavior, but without any answer (https://issues.jboss.org/browse/KEYCLOAK-998).
Is the current behavior wanted, or can it be improved as I propose ? I could submit a patch if so.
The same issue is also for ClaimToRoleMapper