diff --git a/Security/User/KeycloakUserProvider.php b/Security/User/KeycloakUserProvider.php
index 0e46387..f18a0f5 100644
--- a/Security/User/KeycloakUserProvider.php
+++ b/Security/User/KeycloakUserProvider.php
@@ -60,6 +60,10 @@ function ($role) {
             );
         }
 
+        if (empty($roles) && empty($resourceOwner->getResourceAccess())) {
+            throw new \RuntimeException('ResourceAccess is empty, ensure that in the keycloak realm configuration client scope "client roles" is available for userinfo');
+        }
+
         if (isset($resourceOwner->getResourceAccess()[$provider->getClientId()])) {
             $roles = array_map(
                 function ($role) {