Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

Issue description:
1. It is possible to add fake-client-scope to client registration policy with allowed-client-templates

2. The registration of a client with such a scope should be rejected (not part of existing allowed client scope).

Version

Keycloak 26.2, nightly (from 2025-06-03)

Regression

[ ] The issue is a regression

Expected behavior

Being able to use only valid client scopes when configuring client-registration policy OR client policy. At the same time, it can be good to consider dynamic client-scopes if they are enabled

Actual behavior

It is possible to use fake client scope

How to Reproduce?

• create a keycloak client registration policy with provider "allowed-client-templates"
• it is possible to add as allowed scope a new scope such as fake-client-scope (which is not part of the realm client scope) and not available in the Allowed scope drop down list

===> Being able to add a dummy scope such as fake-client-scope does represent a bug.

===> The mitigation consist of accepting only existing realm client scopes, and discarding any new scope input.

Anything else?

No response