I don't like option (a) as it would be very clear what scopes are available and what they result in. You'd have to search through all roles and protocol mappers to find a list of scopes as well as somehow manually build the picture of what a scope implies.
A scope could affect:
* Behavior - for example openid and offline_access. We can hard code those, but what about others and custom ones?
* Roles - limit what roles are included. This is probably the simplest case as it's just about removing roles.
* Claims - limit what claims are included in the token. This boils down to protocol mappers. Some protocol mappers would want to be included/excluded based on scope, but I can also see that some protocol mappers would internally look at scope to determine what to include.
* Authorization - could also affect authorization separately? The token contains the scope param separately, so authorization policies could be written directly on scope rather than roles/attributes
Another thing is that the consent screen (and also showing application access in account management console) should probably take about scope rather than individual roles. For example:
* Gallery wants to view your personal details
* Backup application wants to access your photos
A few more points:
* It should be possible to view scopes available for a realm directly, not by scanning through roles and protocol mappers
* It should be possible to set a description on a scope
* It should be possible to define a scope that maps to multiple roles
* It should be possible to define a scope that maps to multiple protocol mappers roles
* It may be useful to be able to have protocol mappers that behave differently depending on the scope. Complexity may outweigh usefulness here though.
With that in mind I don't think option (a) is great. Option (b) would need introducing a whole new concept.
How about we use a combination of (a) and (b), by using composite roles? Something along the lines of:
* scope maps to a role. but the role could be a composite role and hence expand to other roles.
* Protocol mappers could require a specific role to be applied
* We could add a page to view scopes for a realm
- This would show the corresponding role as well as effective roles if it's a composite role
- It would also list the protocol mappers included
One more thing is that maybe when a composite role is used on the consent screen we could have an option if the composite role description should be shown rather than the individual roles?