The JwtAuthProvider calls IAuthRepository.GetRoles() to retrieve the roles for the user which it then combines with Roles on the UserSession which is no longer adding duplicates from this commit.
This change is available from v5 that’s now available on MyGet, please review v5 changes before upgrading.