Does the Scope of a Client Scope control who AND what?


I spent some time today with Client Scopes and wanted to ask some clarifying questions.

Here is what I did as a test and some conclusions:

Test 1:

  1. Setup a Client Scope called “Test Scope”
  2. Created a Mapper for this Client Scope that maps a hardcoded claim “foo” to the token
  3. Set the Scope of this Client Scope to the realm role “foo-users”
  4. Observe how the “foo” claim appears when “foo-users” role is assigned to user

Conclusion 1: “Scope” decides whether a Mapper is applied or not.

Test 2:

  1. Create a new realm role “bar-users” and assign it to the same user that is already in “foo-users”
  2. Create “User Realm Role” Mapper in “Test Scope”
  3. Observe, to my surprise, that only “foo-users” is in the token

Conclusion 2: “Scope” decides not only if a mapper is applied, but also on the content, as far as roles are concerned.

Test 3:

  1. Create “User Client Role” mapper in “Test Scope”
  2. Create a client “Test Client” alongside some client roles
  3. Assign “Test Scope” to “Test Client”
  4. Confirm that Scope of “Test Client” includes the client roles (always the case for every client, cannot be disabled)
  5. Assign a few client roles to a new user (has no realm roles)
  6. Evaluate token and observe that none of the client roles are included
  7. Adding the user to “foo-users” will include all assigned client roles in the token

Conclusion 3: The Scope of a client does not seem to influence the inherited global Client Scope, because otherwise the client roles would be in the token.

Can someone confirm if my conclusions are correct? I’m a little surprised by #2 because of dual purpose of Scope here (who & what), just like I’m a bit suspicious of #3, because including client roles in tokens by default should be a common use case. I’m currently achieving this setting the Scope to a realm role that all users of the realm have by default, but that seems like a workaround.

While I am still a little curious about the dual purpose of #2, my my main issue (#3) turned out to be a bug.
I deleted the client role mapper and put it into it’s own Client Scopes entry, without defining any Scope for it. Now, every client includes client roles in the token, which is the expected behaviour, as every client defines its own roles in its scope.