extract
Extracts the list of role strings located at rolesClaimPath within the JWT jwt.
The path is dot-separated and walks nested JSON objects, which covers both flat layouts ("roles") and Keycloak's default nested layout ("realm_access.roles"). Returns an empty list when any segment is missing or when the leaf is not a JSON array of strings — this keeps the converter agnostic of the role vocabulary defined in Keycloak.