diff --git a/lib/auth/permissions_test.go b/lib/auth/permissions_test.go
index a11f9282ea075..f2dc9cc90a6ff 100644
--- a/lib/auth/permissions_test.go
+++ b/lib/auth/permissions_test.go
@@ -66,13 +66,13 @@ func TestAuthorizeWithLocksForLocalUser(t *testing.T) {
 	})
 	require.NoError(t, err)
 
-	user, _, err := CreateUserAndRole(srv.AuthServer, "test-user", []string{})
+	user, role, err := CreateUserAndRole(srv.AuthServer, "test-user", []string{})
 	require.NoError(t, err)
 	localUser := LocalUser{
 		Username: user.GetName(),
 		Identity: tlsca.Identity{
 			Username:       user.GetName(),
-			Groups:         []string{"test-role-1"},
+			Groups:         []string{role.GetName()},
 			MFAVerified:    "mfa-device-id",
 			ActiveRequests: []string{"test-request"},
 		},
diff --git a/lib/services/role.go b/lib/services/role.go
index eda4222e64d2b..9f6276b9f5c52 100644
--- a/lib/services/role.go
+++ b/lib/services/role.go
@@ -778,9 +778,11 @@ func ExtractFromCertificate(cert *ssh.Certificate) ([]string, wrappers.Traits, e
 // which Teleport passes along as a *tlsca.Identity. If roles and traits do not
 // exist in the certificates, they are extracted from the backend.
 func ExtractFromIdentity(access UserGetter, identity tlsca.Identity) ([]string, wrappers.Traits, error) {
-	// For legacy certificates, fetch roles and traits from the services.User
-	// object in the backend.
-	if missingIdentity(identity) {
+	// Legacy certs are not encoded with roles or traits,
+	// so we fallback to the traits and roles in the backend.
+	// empty traits are a valid use case in standard certs,
+	// so we only check for whether roles are empty.
+	if len(identity.Groups) == 0 {
 		u, err := access.GetUser(identity.Username, false)
 		if err != nil {
 			return nil, nil, trace.Wrap(err)
@@ -823,15 +825,6 @@ func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]strin
 	return NewRoleSet(roles...), nil
 }
 
-// missingIdentity returns true if the identity is missing or the identity
-// has no roles or traits.
-func missingIdentity(identity tlsca.Identity) bool {
-	if len(identity.Groups) == 0 || len(identity.Traits) == 0 {
-		return true
-	}
-	return false
-}
-
 // ExtractRolesFromCert extracts roles from certificate metadata extensions.
 func ExtractRolesFromCert(cert *ssh.Certificate) ([]string, error) {
 	data, ok := cert.Extensions[teleport.CertExtensionTeleportRoles]