The protocolMappers and roles need to be removed from AuthenticatedClientSessionModel. They are currently here because of:
- Scope parameter. There might be different roles, protocolMappers based on the used scope parameter
- Consent : We want to ensure that same roles+protocolMappers approved on consent screen are used in clientSession and not any others
There might be an issue here, because right now, we have just single AuthenticatedClientSessionModel per client+userSession . So we rather need to move roles+protocolMappers to code JWT and refreshToken JWT, which will ensure that multiple clientSessions of same userSession may have different roles+protocolMappers according to scope etc.
There are other things, which likely should be removed from AuthenticatedClientSessionModel. At least timestamp and possibly some other things. Eventually we need to doublecheck if it's possible to remove AuthenticatedClientSessionModel entirely and have userSession to contain just list of client UUIDs.