Comment 4 for bug 1773967

Relatedly, application credentials don't work with implied roles. Since we now have the "member" role by default imply the "reader" role, the "reader" role appears in the token body and the user is allowed to create an application credential with it, but since it is not part of the role assignments table, the application credential can't then be used with just the "reader" role.