Hi,
I spent some time today with Client Scopes and wanted to ask some clarifying questions.
Here is what I did as a test and some conclusions:
Test 1:
- Setup a Client Scope called “Test Scope”
- Created a Mapper for this Client Scope that maps a hardcoded claim “foo” to the token
- Set the Scope of this Client Scope to the realm role “foo-users”
- Observe how the “foo” claim appears when “foo-users” role is assigned to user
Conclusion 1: “Scope” decides whether a Mapper is applied or not.
Test 2:
- Create a new realm role “bar-users” and assign it to the same user that is already in “foo-users”
- Create “User Realm Role” Mapper in “Test Scope”
- Observe, to my surprise, that only “foo-users” is in the token
Conclusion 2: “Scope” decides not only if a mapper is applied, but also on the content, as far as roles are concerned.
Test 3:
- Create “User Client Role” mapper in “Test Scope”
- Create a client “Test Client” alongside some client roles
- Assign “Test Scope” to “Test Client”
- Confirm that Scope of “Test Client” includes the client roles (always the case for every client, cannot be disabled)
- Assign a few client roles to a new user (has no realm roles)
- Evaluate token and observe that none of the client roles are included
- Adding the user to “foo-users” will include all assigned client roles in the token
Conclusion 3: The Scope of a client does not seem to influence the inherited global Client Scope, because otherwise the client roles would be in the token.
Can someone confirm if my conclusions are correct? I’m a little surprised by #2 because of dual purpose of Scope here (who & what), just like I’m a bit suspicious of #3, because including client roles in tokens by default should be a common use case. I’m currently achieving this setting the Scope to a realm role that all users of the realm have by default, but that seems like a workaround.