Some of the auth service endpoints enforce roles from the auth service user domain (eg. password reset). This shouldn't be the case and user roles should be verified with reference data exclusively (currently I need both role from ref data and admin role in auth service).
Files to look into:
UserRole dropped from User domain in Auth Service
Users created via UI and assigned user administration roles also via UI can create new users and reset their passwords
Auth should use role assignment from referencedata service