Custom scopes are not resolving without the 'openid' scope in the JWT bearer grant

[ShehanDinuka]

Describe the issue:

In version 7.0, it was identified that when custom scopes are requested using the JWT Bearer Grant, the scopes are not properly resolved, and as a result, they are not included in the exchanged access token or bearer response.

If the openid scope is requested along with the custom scopes, the request functions as expected. However, ideally, the custom scopes should resolve properly even without the inclusion of the openid scope.

How to reproduce:

• Create an API resource and define one or more custom scopes.
• Create a role and associate the custom scopes with it.
• Create a group and assign the role created in the previous step.
• Set up a connection by providing the alias, issuer details, and uploading the Identity Server's public key as a certificate.
• Navigate to the Connection → Groups section and add an IDP group (e.g., group1).
• In User Management → Roles → select the role → Groups → External Groups, map the previously added IDP group to the local role.
• Create a user and assign the local group created in step 3.
• Generate the assertion with the correct identity provider (IDP) and user information.
• Request the custom scopes in the JWT Bearer request, omitting the openid scope.
• Observe that the custom scopes are not included in the response.
• When the openid scope is included in the request, the custom scopes are correctly resolved.

Expected behavior:

The custom scopes should resolve properly even without the inclusion of the openid scope.

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: [IS 7.0.0]
• OS: [Mac]
• Database: [ H2]
• Userstore: [JDBC]

---

Optional Fields

Related issues:

#21009