How to echo the allowed scopes in the Dynamic Client Registration response?

We’re trying to use KeyCloak as an Authorization Server in support of SMART App Launch which is an OAuth / OpenID Connect profile being used in healthcare.

This specification has a conformance test suite and we’re failing one of the conformance tests because it is looking for a JSON key named “scope” in the response to the Dynamic Client Registration it submits.

KeyCloak does return all other fields being checked in the test, including redirect_uris, token_endpoint_auth_method, grant_types, response_types, client_id, client_secret, client_name, client_id_issued_at, client_secret_expires_at, etc.

I think they are basing the test on the following language from RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol

Additionally, the authorization server MUST return all registered metadata about this client, including any fields provisioned by the authorization server itself.

My understanding as they interpret that to mean that all registered fields from RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol must be in the response, although they only check for “client_id” and “scope”.

Does it sound right? How do we add the missing keys to the DCR response?

as for the dynamic registration issue, although OIDC spec does state that “all registered Metadata” be returned, it adds flexibility by saying “An Authorization Server MAY ignore values provided by the client”. If you look at the OIDC compliance certification spec, it excludes “scope” requirement from dynamic spec, and keycloak is certified implementation. https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf. So I would suggest health care profile to relax the return data format requirement, and better align with OIDC conformance requirement unless it is absolutely required.