Add roles to loged user from external service using Spring Security and JWT authentication

Our application use third party system to authenticate users. Having JWT token, UI calls the API server. The problem is that the JWT do not contains user roles. To fix that our Java backend needs to call another external system and organise authorisation - very slow, buggy and verbose.

Is there a way with Java Spring Security to handle this situation?

1. We can't rewrite JWT, so this is not an option.
2. Can we add roles in Security context and use it as cache? Not optimal but progress.
3. Is it acceptable to organise "second" login to the backend system and send to the UI another JWT with roles? The problem with the different time of expiration exist ...
4. Are there any customisers, filters that could be used?
5. Is the JwtAuthenticationConverter suitable?

Any kind of help is welcome: ideas, suggestions, links, articles or books. Thank you in advance

The solution is to write you own UserDetailsService. This is a standard approach to add additional information. Then converter will create a token with enriched user information.

The example project could be found here and its explanation

In my case I needed to communicate with the external system using OAuth. Guide how to configure it is here.