As a continuation of #269
We should
- create another rule that logs what OAuth scopes that RPs request of us
- gathering a body of logs so we can determine what scopes RPs request
- based on this data determine if we can change our logic from
- give custom claims to all RPs that request any combination of scopes other than "only `openid" to
- give custom claims to RPs that request
profile scope
To do this will depend upon us validating that there are no RPs which
- don't request
profile scope
- expect to receive custom claims
An example of this would be an RP that requests openid and email and expects to receive custom claims.
As a continuation of #269
We should
profilescopeTo do this will depend upon us validating that there are no RPs which
profilescopeAn example of this would be an RP that requests
openidandemailand expects to receive custom claims.