When I hit /auth/realms/{realm}/protocol/openid-connect/userinfo I get very little details about the user.

{
    "sub": "ed291f7a-a799-4d8b-a776-e634d727668c",
    "email_verified": true,
    "preferred_username": "admin"
}

More info (such as role lists) is inside the access token that I'm actually sending to this endpoint. I could just decode the access token instead of hitting this endpoint, is this expected/normal behavior or am I doing something wrong?

I managed to add 'Client roles' and 'Realm roles' to the Userinfo payload by doing the following:

1. go to Client Scopes > roles Mappers > realm roles
   
2. toggle on the 'Add to userinfo', and off the 'Add to token' ones
   
3. change the 'Token Claim Name' to whatever you want, anything would work
   

same applies for client roles, 1. becomes Client Scopes > roles Mappers > client roles
NB: Roles have to be but in the 'Assigned' column in 'Scope' tab

For me the solution was to make a custom mapper with a custom Token Claim Name. realm_access.roles from the predefined mappers didn't work fsr

The fields present in the response are scoped by the claims present in the access token.

Keycloak is OpenID compliant.

OpenID spec defines:

The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication. These Claims are normally represented by a JSON object that contains a collection of name and value pairs for the Claims.

The Claims defined in Section 5.1 can be returned, as can additional Claims not specified there.