After create new API Token for a user, API Token seems to return empty authorities via cURL, while via browser full list is showed. This error make us impossible to use all APIs as they return 403.
Example here:

• via cURL (or with Python-Jenkins library) -> 

{_class: "hudson.security.WhoAmI", anonymous: false, authenticated: true, authorities: [], name: "my-user"}

• via BROWSER -> https://myjenkinsinstance.com/whoAmI/api/json

  {
  _class: "hudson.security.WhoAmI",   anonymous: false,   authenticated: true,   authorities:    [   "authenticated",  "ADMIN",   "offline_access",   "uma_authorization"   ],   name: "my-user"
  }
  

   

The problems seems to be with authorities field.

With other endpoints, as for example /api/python, same behaviour seems to occur returning 403 via cURL (permission denied) while via Browser full response is provided.