I'm integrating BEARER_TOKEN with the Okta OAuth provider.  My app server is WF 23 and JDK is 11.

This is a fragment of a decoded token being returned by the introspection point.

{{"scp": [
"openid"
],
"sub": "dev@example.com",
"carlw2": "user"
}}}

If I use a Simple Role Decoder on the attribute "scp", my decoded roles is empty

11:24:56,244 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [dev@example.com] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []

The mechanism does handle scalar values.  For instance, I defined a Simple Role Decoder on the attribute "carlw2" and was able to get "user" back to the app.  See the following log message.

11:23:23,731 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [dev@example.com] -> decoded roles [user] -> domain decoded roles [] -> realm mapped roles [user] -> domain mapped roles [user]