diff --git a/src/SponsorLink/SponsorLink/SponsorLink.cs b/src/SponsorLink/SponsorLink/SponsorLink.cs
index 81032c6..a4c0675 100644
--- a/src/SponsorLink/SponsorLink/SponsorLink.cs
+++ b/src/SponsorLink/SponsorLink/SponsorLink.cs
@@ -88,7 +88,7 @@ public static bool TryRead([NotNullWhen(true)] out ClaimsPrincipal? principal, I
             if (Validate(value.jwt, value.jwk, out var token, out var identity, false) == ManifestStatus.Valid && identity != null)
             {
                 if (principal == null)
-                    principal = new(identity);
+                    principal = new JwtRolesPrincipal(identity);
                 else
                     principal.AddIdentity(identity);
             }
@@ -158,7 +158,7 @@ public static ManifestStatus Validate(string jwt, string jwk, out SecurityToken?
         }
 
         token = result.SecurityToken;
-        identity = new ClaimsIdentity(result.ClaimsIdentity.Claims);
+        identity = new ClaimsIdentity(result.ClaimsIdentity.Claims, "JWT");
 
         if (validateExpiration && token.ValidTo == DateTime.MinValue)
             return ManifestStatus.Invalid;
@@ -169,4 +169,9 @@ public static ManifestStatus Validate(string jwt, string jwk, out SecurityToken?
 
         return ManifestStatus.Valid;
     }
+
+    class JwtRolesPrincipal(ClaimsIdentity identity) : ClaimsPrincipal([identity])
+    {
+        public override bool IsInRole(string role) => HasClaim("roles", role) || base.IsInRole(role);
+    }
 }