In 6.5 Integrator's guide, 20.2.1. Dynamic Role Calculation
"If you enable dynamic role calculation, note that default roles and groups set during authentication will also need to be stored in theJWT_SESSION configuration. In the example below, the JWT_SESSION has been modified to include the internal user role fooRole, as well as group membership in the openidm-admin internal role"
It's not explained when and why defaultUserRoles is needed.