Nice! Well nothing seems particularly out of line there. I know the netlify docs on external providers do reference an “id” field being present in the JWT and yours does not have one, but the actual _redirects engine code that handles RBAC is closed source so I couldn’t verify whether or not that field’s presence is critical. And, while you may have already done this, I think it’s always worth digging in to really ensure the cookie header is actually being sent to the page correctly
Otherwise there was also this thread that came up recently which, while not on the same exact topic, included some tips for external JWT providers
May be worth a read 
–
Jon