preferred_username claim not include in access token

[Brian Levine]

I'm running a Keycloak 12.x server with clients fronted by Apache/mod_auth_openidc. We ran into a problem recently in which a given user couldn't log in because his access token did not include a preferred_username claim.  I confirmed this in the Keycloak Admin UI by going to Clients->client_name->Client Scopes->Evaluate and generating the access token for that user. It seems that the preferred_username claim is not being included because the profile scope was not requested even though the default scopes include profile and I can see profile in the Effective Client Scopes list in the Evaluate UI.

When I look at the generated access token I can see the returned scope set to "scope":"openid email" instead of "scope":"openid email profile roles web-origins". This is not reproducible for other users who have the scope and preferred_username properties set correctly.  I have not yet been able to determine what is different about this user that might cause this behavior.

Also please note that we recently upgraded from Keycloak 4.5 and I've confirmed that this problem is not reproducible in 4.5.

Any clues would be most appreciated.

-b

[Brian Levine]

Additional info.

It looks like any user that is not a member of a group exhibits this problem. Note that I have a Group Membership mapper associated with the profile scope. So I'm wondering if there's a bug (perhaps in the Group Membership mapper) that's causing the profile scope not to be included when the user doesn't have any groups.