diff --git a/backend/src/Squidex/Config/Authentication/OidcHandler.cs b/backend/src/Squidex/Config/Authentication/OidcHandler.cs
index 19ba1bfab..af835fe78 100644
--- a/backend/src/Squidex/Config/Authentication/OidcHandler.cs
+++ b/backend/src/Squidex/Config/Authentication/OidcHandler.cs
@@ -26,14 +26,14 @@ namespace Squidex.Config.Authentication
 
             if (!string.IsNullOrWhiteSpace(options.OidcRoleClaimType) && options.OidcRoleMapping?.Count >= 0)
             {
-                var role = identity.FindFirst(x => x.Type == options.OidcRoleClaimType)?.Value;
+                var permissions = options.OidcRoleMapping
+                    .Where(r => identity.HasClaim(options.OidcRoleClaimType, r.Key))
+                    .SelectMany(r => r.Value)
+                    .Distinct();
 
-                if (!string.IsNullOrWhiteSpace(role) && options.OidcRoleMapping.TryGetValue(role, out var permissions) && permissions != null)
+                foreach (var permission in permissions)
                 {
-                    foreach (var permission in permissions)
-                    {
-                        identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission));
-                    }
+                    identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission));
                 }
             }