Should applications (non oauth clients) scope be disabled by default? This would mean that any roles assigned to the user would be added to the token. I just think there will be tons of user questions on why doesn't keycloak work for their application. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com