Should applications (non oauth clients) scope be disabled by default?
This would mean that any roles assigned to the user would be added to
the token.
I just think there will be tons of user questions on why doesn't
keycloak work for their application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com