Access Policy Selector for OIDC

Hello everyone,

I am new to Cloudflare Access and struggle to configure a role based Access Policy using the OIDC Claim Selector for my Testapplication.

What I did so far:

  1. Added a selfhosted Keycloak instance as the IdP
  2. Added realm_access to the list of custom OIDC claims
  3. Verified, that the realm_access node is present in the generated JWT Token under the custom node
  4. Added a new Access Application
  5. Added new Policy based on OIDC Selector to verify specific roles

But non of my selected OIDC Selector Queries seem to work :frowning:

Thats how the JWT Json looks like:

....
"email": "[email protected]",
....
"custom": {
    "realm_access": {
        "roles": [
            "myrole1",
            "myrole2"       
        ]
    }
}

And heres the OIDC Selector Policy: