Dynamic Client Registration: assigned default vs optional scopes

We have concept of “Assigned Default Client Scopes” and “Assigned Optional Client Scopes” in Keycloak. This allows a client to automatically get the scope when hitting the token endpoint, vs explicitly requesting the scope.

In a Dynamic Client Registration request, is it possible to control whether whether the scope is automatically applied vs whether a client has to request that scope?

  "client_name": "sample",
  "token_endpoint_auth_method": "private_key_jwt",
  "token_endpoint_auth_signing_alg": "HS256",
  "jwks_uri": "URI of the JSON web key set",
  "redirect_uris": ["http://localhost"],
  "response_types": ["none"],
  "grant_types": ["client_credentials"],
  "subject_type": "public",
  "scope": "default optional"

I bet you are using openid-connect provider for client registration -
Doc: Securing Applications and Services Guide

Unfortunately, OIDC client model doesn’t have concept of default/optional scopes, only scopes: keycloak/OIDCClientRepresentation.java at main · keycloak/keycloak · GitHub

I would use default provider, where you can use Keycloak client model - it has those properties for the config:

    "defaultClientScopes": [],
    "optionalClientScopes": []

See: keycloak/ClientRepresentation.java at main · keycloak/keycloak · GitHub