diff --git a/src/main/java/de/tavolio/oidc/identityproviders/ClientIdentityProvider.java b/src/main/java/de/tavolio/oidc/identityproviders/ClientIdentityProvider.java
index 3bdd1e5..0158fb6 100644
--- a/src/main/java/de/tavolio/oidc/identityproviders/ClientIdentityProvider.java
+++ b/src/main/java/de/tavolio/oidc/identityproviders/ClientIdentityProvider.java
@@ -10,6 +10,7 @@ import de.tavolio.realm.client.ClientEntity;
 import de.tavolio.realm.client.ClientService;
 import de.tavolio.realm.key.KeypairEntity;
 import de.tavolio.realm.key.KeypairRepo;
+import de.tavolio.realm.user.Permission;
 import de.tavolio.verify.JwksService;
 import de.tavolio.verify.jwks.JwksKey;
 import io.quarkus.security.AuthenticationFailedException;
@@ -33,7 +34,6 @@ import org.eclipse.microprofile.jwt.JsonWebToken;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.security.Permission;
 import java.security.PublicKey;
 import java.util.*;
 import java.util.stream.Collectors;
@@ -85,7 +85,8 @@ public class ClientIdentityProvider implements IdentityProvider<TokenAuthenticat
                             ClientEntity client = clientService.findByIdAndRealm(token.getName(), realm);
                             if (client != null)
                             {
-                                return (SecurityIdentity) QuarkusSecurityIdentity.builder().setPrincipal(new QuarkusPrincipal(client.getId())).addRole(Role.CLIENT.toString()).addAttribute("permissions", new HashSet<>(client.getPermissions())).build();
+                                Set<Permission> permissions = new HashSet<>(client.getPermissions());
+                                return (SecurityIdentity) QuarkusSecurityIdentity.builder().setPrincipal(new QuarkusPrincipal(client.getId())).addRole(Role.CLIENT.toString()).addAttribute("permissions", permissions).build();
                             }
                         }
                         catch (ParseException e)