When we activate a role in policies, currently we set conditions based on set of Authentications (IDP, Contract...) and/or on Attributes (from LDAP, or other stores)...
Authentication Conditions always fail when we activate Roles for the OAuth Access token.
is it a bug or is it because we are dealing with an authentication vs authorization issue?
Here is a wishful idea to have for the authentication conditions when dealing with OAuth access /ID token roles activation:
1- Add a clientID as a condition.
2- solve the current issue by the following approach: the access token holds the clientID in the audience and the clientID refers to the client application which holds the authentication procedures.
Note: OAuth access token injection has the same issue.