diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
index 2bff1b17..d0dc7e72 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
@@ -156,7 +156,7 @@ public class OidcAuthController {
                     userId, provider, oidcUser.email(), oidcUser.name(), Instant.now()));
 
             // Apply claim mapping rules to assign managed roles/groups from JWT claims
-            applyClaimMappings(userId, oidcUser.allClaims(), config.get());
+            applyClaimMappings(userId, oidcUser.allClaims(), oidcUser.roles(), config.get());
 
             List<String> roles = rbacService.getSystemRoleNames(userId);
 
@@ -180,7 +180,8 @@ public class OidcAuthController {
         }
     }
 
-    private void applyClaimMappings(String userId, Map<String, Object> claims, OidcConfig oidcConfig) {
+    private void applyClaimMappings(String userId, Map<String, Object> claims,
+                                    List<String> oidcExtractedRoles, OidcConfig oidcConfig) {
         List<ClaimMappingRule> rules = claimMappingRepository.findAll();
 
         rbacService.clearManagedAssignments(userId);
@@ -214,15 +215,26 @@ public class OidcAuthController {
             }
         }
 
-        // Fallback: if no mapping rules matched, assign defaultRoles from OIDC config
+        // Fallback priority: claim mapping rules > OIDC token roles > defaultRoles
         if (results.isEmpty()) {
-            List<String> defaultRoles = oidcConfig.defaultRoles();
-            if (defaultRoles != null && !defaultRoles.isEmpty()) {
-                for (String roleName : defaultRoles) {
+            // Use roles extracted directly from the OIDC token (e.g. Custom JWT 'roles' claim)
+            if (oidcExtractedRoles != null && !oidcExtractedRoles.isEmpty()) {
+                for (String roleName : oidcExtractedRoles) {
                     UUID roleId = SystemRole.BY_NAME.get(SystemRole.normalizeScope(roleName));
                     if (roleId != null) {
                         rbacService.assignRoleToUser(userId, roleId);
-                        log.debug("Default role {} assigned to {} (no claim mapping matched)", roleName, userId);
+                        log.info("OIDC role {} assigned to {} (from token claim)", roleName, userId);
+                    }
+                }
+            } else {
+                List<String> defaultRoles = oidcConfig.defaultRoles();
+                if (defaultRoles != null && !defaultRoles.isEmpty()) {
+                    for (String roleName : defaultRoles) {
+                        UUID roleId = SystemRole.BY_NAME.get(SystemRole.normalizeScope(roleName));
+                        if (roleId != null) {
+                            rbacService.assignRoleToUser(userId, roleId);
+                            log.debug("Default role {} assigned to {} (no claim mapping or OIDC roles)", roleName, userId);
+                        }
                     }
                 }
             }