Package org.keycloak.models.cache.infinispan

Class RealmCacheSession

  • All Implemented Interfaces:
    CacheRealmProvider, ClientProvider, ClientScopeProvider, GroupProvider, RealmProvider, RoleProvider, Provider, ClientLookupProvider, ClientScopeLookupProvider, GroupLookupProvider, RoleLookupProvider
    public class RealmCacheSession
extends Object
implements CacheRealmProvider
    - the high level architecture of this cache is an invalidation cache. - the cache is manual/custom versioned. When a model is updated, we remove it from the cache which causes an invalidation message to be sent across the cluster. - We had to do it this way because Infinispan REPEATABLE_READ wouldn't cut it in invalidation mode. Also, REPEATABLE_READ doesn't work very well on relationships and items that are not in the cache. - There are two Infinispan caches. One clustered that holds actual objects and a another local one that holds revision numbers of cached objects. Whenever a cached object is removed (invalidated), the local revision cache number or that key is bumped higher based on a local version counter. Whenever a cache entry is fetched, this revision number is also fetched and compared against the revision number in the cache entry to see if the cache entry is stale. Whenever a cache entry is added, this revision number is also checked against the revision cache. - Revision entries are actually never removed (although they could be evicted by cache eviction policies). The reason for this is that it is possible for a stale object to be inserted if one thread loads and the data is updated in the database before it is added to the cache. So, we keep the version number around for this. - In a transaction, objects are registered to be invalidated. If an object is marked for invalidation within a transaction a cached object should never be returned. An DB adapter should always be returned. - After DB commits, the objects marked for invalidation are invalidated, or rather removed from the cache. At this time the revision cache entry for this object has its version number bumped. - Whenever an object is marked for invalidation, the cache is also searched for any objects that are related to this object and need to also be evicted/removed. We use the Infinispan Stream SPI for this. ClientList caches: - lists of clients are cached in a specific cache entry i.e. realm clients, find client by clientId - realm client lists need to be invalidated and evited whenever a client is added or removed from a realm. RealmProvider now has addClient/removeClient at its top level. All adapaters should use these methods so that the appropriate invalidations can be registered. - whenever a client is added/removed the realm of the client is added to a listInvalidations set this set must be checked before sending back or caching a cached query. This check is required to avoid caching an uncommitted removal/add in a query cache. - when a client is removed, any queries that contain that client must also be removed. - a client removal will also cause anything that is contained and cached within that client to be removed Clustered caches: - There is a Infinispan @Listener registered. If an invalidation event happens, this is treated like the object was removed from the database and will perform evictions based on that assumption. - Eviction events will also cascade other evictions, but not assume this is a db removal. - With an invalidation cache, if you remove an entry on node 1 and this entry does not exist on node 2, node 2 will not receive a @Listener invalidation event. so, hat we have to put a marker entry in the invalidation cache before we read from the DB, so if the DB changes in between reading and adding a cache entry, the cache will be notified and bump the version information. DBs with Repeatable Read: - DBs like MySQL are Repeatable Read by default. So, if you query a Client for instance, it will always return the same result in the same transaction even if the DB was updated in between these queries. This makes it possible to store stale cache entries. To avoid this problem, this class stores the current local version counter at the beginningof the transaction. Whenever an entry is added to the cache, the current coutner is compared against the counter at the beginning of the tx. If the current is greater, then don't cache. Groups and Roles: - roles are tricky because of composites. Composite lists are cached too. So, when a role is removed we also iterate and invalidate any role or group that contains that role being removed. - any relationship should be resolved from session.realms(). For example if JPA.getClientByClientId() is invoked, JPA should find the id of the client and then call session.realms().getClientById(). THis is to ensure that the cached object is invoked and all proper invalidation are being invoked.
    Version:
    $Revision: 1 $
    Author:
    Bill Burke

    • Method Detail

      • getStartupRevision

        public long getStartupRevision()

      • isInvalid

        public boolean isInvalid​(String id)

      • runInvalidations

        protected void runInvalidations()

      • createRealm

        public RealmModel createRealm​(String name)
        Description copied from interface: RealmProvider
        Creates new realm with the given name. The internal ID will be generated automatically.
        Specified by:
        createRealm in interface RealmProvider
        Parameters:
        name - String name of the realm
        Returns:
        Model of the created realm.

      • createRealm

        public RealmModel createRealm​(String id,
                              String name)
        Description copied from interface: RealmProvider
        Created new realm with given ID and name.
        Specified by:
        createRealm in interface RealmProvider
        Parameters:
        id - Internal ID of the realm or null if one is to be created by the underlying store. If the store expects the ID to have a certain format (for example UUID) and the supplied ID doesn't follow the expected format, the store may replace the id with a new one at its own discretion.
        name - String name of the realm
        Returns:
        Model of the created realm.

      • getRealm

        public RealmModel getRealm​(String id)
        Description copied from interface: RealmProvider
        Exact search for a realm by its internal ID.
        Specified by:
        getRealm in interface RealmProvider
        Parameters:
        id - Internal ID of the realm.
        Returns:
        Model of the realm

      • getRealmByName

        public RealmModel getRealmByName​(String name)
        Description copied from interface: RealmProvider
        Exact search for a realm by its name.
        Specified by:
        getRealmByName in interface RealmProvider
        Parameters:
        name - String name of the realm
        Returns:
        Model of the realm

      • removeRealm

        public boolean removeRealm​(String id)
        Description copied from interface: RealmProvider
        Removes realm with the given id.
        Specified by:
        removeRealm in interface RealmProvider
        Parameters:
        id - of realm.
        Returns:
        true if the realm was successfully removed.

      • evictRealmOnRemoval

        public void evictRealmOnRemoval​(RealmModel realm)

      • addClient

        public ClientModel addClient​(RealmModel realm,
                             String clientId)
        Description copied from interface: ClientProvider
        Adds a client with given clientId to the given realm. The internal ID of the client will be created automatically.
        Specified by:
        addClient in interface ClientProvider
        Specified by:
        addClient in interface RealmProvider
        Parameters:
        realm - Realm owning this client.
        clientId - String that identifies the client to the external parties. Maps to client_id in OIDC or entityID in SAML.
        Returns:
        Model of the created client.

      • addClient

        public ClientModel addClient​(RealmModel realm,
                             String id,
                             String clientId)
        Description copied from interface: ClientProvider
        Adds a client with given internal ID and clientId to the given realm.
        Specified by:
        addClient in interface ClientProvider
        Specified by:
        addClient in interface RealmProvider
        Parameters:
        realm - Realm owning this client.
        id - Internal ID of the client or null if one is to be created by the underlying store
        clientId - String that identifies the client to the external parties. Maps to client_id in OIDC or entityID in SAML.
        Returns:
        Model of the created client.

      • getClientsStream

        public Stream<ClientModel> getClientsStream​(RealmModel realm,
                                            Integer firstResult,
                                            Integer maxResults)
        Description copied from interface: ClientProvider
        Returns the clients of the given realm as a stream.
        Specified by:
        getClientsStream in interface ClientProvider
        Parameters:
        realm - Realm.
        firstResult - First result to return. Ignored if negative or null.
        maxResults - Maximum number of results to return. Ignored if negative or null.
        Returns:
        Stream of the clients. Never returns null.

      • getClientsStream

        public Stream<ClientModel> getClientsStream​(RealmModel realm)
        Description copied from interface: ClientProvider
        Returns all the clients of the given realm as a stream. Effectively the same as the call getClientsStream(realm, null, null).
        Specified by:
        getClientsStream in interface ClientProvider
        Parameters:
        realm - Realm.
        Returns:
        Stream of the clients. Never returns null.

      • removeClient

        public boolean removeClient​(RealmModel realm,
                            String id)
        Description copied from interface: ClientProvider
        Removes given client from the given realm.
        Specified by:
        removeClient in interface ClientProvider
        Parameters:
        realm - Realm.
        id - Internal ID of the client
        Returns:
        true if the client existed and has been removed, false otherwise.

      • close

        public void close()
        Specified by:
        close in interface Provider

      • addRealmRole

        public RoleModel addRealmRole​(RealmModel realm,
                              String name)
        Description copied from interface: RoleProvider
        Adds a realm role with given name to the given realm. The internal ID of the role will be created automatically.
        Specified by:
        addRealmRole in interface RealmProvider
        Specified by:
        addRealmRole in interface RoleProvider
        Parameters:
        realm - Realm owning this role.
        name - String name of the role.
        Returns:
        Model of the created role.

      • addRealmRole

        public RoleModel addRealmRole​(RealmModel realm,
                              String id,
                              String name)
        Description copied from interface: RoleProvider
        Adds a realm role with given internal ID and name to the given realm.
        Specified by:
        addRealmRole in interface RealmProvider
        Specified by:
        addRealmRole in interface RoleProvider
        Parameters:
        realm - Realm owning this role.
        id - Internal ID of the role or null if one is to be created by the underlying store
        name - String name of the role.
        Returns:
        Model of the created client.

      • getRealmRolesStream

        public Stream<RoleModel> getRealmRolesStream​(RealmModel realm)
        Description copied from interface: RoleProvider
        Returns all the realm roles of the given realm as a stream. Effectively the same as the call getRealmRolesStream(realm, null, null).
        Specified by:
        getRealmRolesStream in interface RoleProvider
        Parameters:
        realm - Realm.
        Returns:
        Stream of the roles. Never returns null.

      • getClientRolesStream

        public Stream<RoleModel> getClientRolesStream​(ClientModel client)
        Description copied from interface: RoleProvider
        Returns all the client roles of the given client. Effectively the same as the call getClientRoles(client, null, null).
        Specified by:
        getClientRolesStream in interface RoleProvider
        Parameters:
        client - Client.
        Returns:
        Stream of the roles. Never returns null.

      • getRealmRolesStream

        public Stream<RoleModel> getRealmRolesStream​(RealmModel realm,
                                             Integer first,
                                             Integer max)
        Description copied from interface: RoleProvider
        Returns the realm roles of the given realm as a stream.
        Specified by:
        getRealmRolesStream in interface RoleProvider
        Parameters:
        realm - Realm.
        first - First result to return. Ignored if negative or null.
        max - Maximum number of results to return. Ignored if negative or null.
        Returns:
        Stream of the roles. Never returns null.

      • getRolesStream

        public Stream<RoleModel> getRolesStream​(RealmModel realm,
                                        Stream<String> ids,
                                        String search,
                                        Integer first,
                                        Integer max)
        Description copied from interface: RoleProvider
        Returns a paginated stream of roles with given ids and given search value in role names.
        Specified by:
        getRolesStream in interface RoleProvider
        Parameters:
        realm - Realm. Cannot be null.
        ids - Stream of ids. Returns empty Stream when null.
        search - Case-insensitive string to search by role's name or description. Ignored if null.
        first - Index of the first result to return. Ignored if negative or null.
        max - Maximum number of results to return. Ignored if negative or null.
        Returns:
        Stream of desired roles. Never returns null.

      • getClientRolesStream

        public Stream<RoleModel> getClientRolesStream​(ClientModel client,
                                              Integer first,
                                              Integer max)
        Description copied from interface: RoleProvider
        Returns the client roles of the given client.
        Specified by:
        getClientRolesStream in interface RoleProvider
        Parameters:
        client - Client.
        first - First result to return. Ignored if negative or null.
        max - Maximum number of results to return. Ignored if negative or null.
        Returns:
        Stream of the roles. Never returns null.

      • searchForClientRolesStream

        public Stream<RoleModel> searchForClientRolesStream​(ClientModel client,
                                                    String search,
                                                    Integer first,
                                                    Integer max)
        Description copied from interface: RoleLookupProvider
        Case-insensitive search for client roles that contain the given string in their name or description.
        Specified by:
        searchForClientRolesStream in interface RoleLookupProvider
        Parameters:
        client - Client.
        search - String to search by role's name or description.
        first - First result to return. Ignored if negative or null.
        max - Maximum number of results to return. Ignored if negative or null.
        Returns:
        Stream of the client roles their name or description contains given search string. Never returns null.

      • searchForRolesStream

        public Stream<RoleModel> searchForRolesStream​(RealmModel realm,
                                              String search,
                                              Integer first,
                                              Integer max)
        Description copied from interface: RoleLookupProvider
        Case-insensitive search for roles that contain the given string in their name or description.
        Specified by:
        searchForRolesStream in interface RoleLookupProvider
        Parameters:
        realm - Realm.
        search - Searched substring of the role's name or description.
        first - First result to return. Ignored if negative or null.
        max - Maximum number of results to return. Ignored if negative or null.
        Returns:
        Stream of the realm roles their name or description contains given search string. Never returns null.

      • addClientRole

        public RoleModel addClientRole​(ClientModel client,
                               String name)
        Description copied from interface: RoleProvider
        Adds a client role with given name to the given client. The internal ID of the role will be created automatically.
        Specified by:
        addClientRole in interface RoleProvider
        Parameters:
        client - Client owning this role.
        name - String name of the role.
        Returns:
        Model of the created role.

      • addClientRole

        public RoleModel addClientRole​(ClientModel client,
                               String id,
                               String name)
        Description copied from interface: RoleProvider
        Adds a client role with given internal ID and name to the given client.
        Specified by:
        addClientRole in interface RoleProvider
        Parameters:
        client - Client owning this role.
        id - Internal ID of the client role or null if one is to be created by the underlying store.
        name - String name of the role.
        Returns:
        Model of the created role.

      • removeRole

        public boolean removeRole​(RoleModel role)
        Description copied from interface: RoleProvider
        Removes given realm role from the given realm.
        Specified by:
        removeRole in interface RoleProvider
        Parameters:
        role - Role to be removed.
        Returns:
        true if the role existed and has been removed, false otherwise.

      • removeRoles

        public void removeRoles​(RealmModel realm)
        Description copied from interface: RoleProvider
        Removes all roles from the given realm.
        Specified by:
        removeRoles in interface RoleProvider
        Parameters:
        realm - Realm.

      • removeRoles

        public void removeRoles​(ClientModel client)
        Description copied from interface: RoleProvider
        Removes all roles from the given client.
        Specified by:
        removeRoles in interface RoleProvider
        Parameters:
        client - Client.

      • moveGroup

        public void moveGroup​(RealmModel realm,
                      GroupModel group,
                      GroupModel toParent)
        Description copied from interface: GroupProvider
        This method is used for moving groups in group structure, for example:
        • making an existing child group child group of some other group,
        • setting a top level group (i.e. group without parent group) child of some group,
        • making a child group top level group (i.e. removing its parent group).
          Specified by:
          moveGroup in interface GroupProvider
          Specified by:
          moveGroup in interface RealmProvider
          Parameters:
          realm - Realm owning this group.
          group - Group to update.
          toParent - New parent group, or null if we are moving the group to top level group.

        • getGroupsStream

          public Stream<GroupModel> getGroupsStream​(RealmModel realm,
                                          Stream<String> ids,
                                          String search,
                                          Integer first,
                                          Integer max)
          Description copied from interface: GroupProvider
          Returns a paginated stream of groups with given ids and given search value in group names.
          Specified by:
          getGroupsStream in interface GroupProvider
          Parameters:
          realm - Realm.
          ids - Stream of ids.
          search - Case insensitive string which will be searched for. Ignored if null.
          first - Index of the first result to return. Ignored if negative or null.
          max - Maximum number of results to return. Ignored if negative or null.
          Returns:
          Stream of desired groups. Never returns null.

        • getGroupsCount

          public Long getGroupsCount​(RealmModel realm,
                           Stream<String> ids,
                           String search)
          Description copied from interface: GroupProvider
          Returns a number of groups that contains the search string in the name
          Specified by:
          getGroupsCount in interface GroupProvider
          Parameters:
          realm - Realm.
          ids - List of ids.
          search - Case insensitive string which will be searched for. Ignored if null.
          Returns:
          Number of groups.

        • getGroupsCount

          public Long getGroupsCount​(RealmModel realm,
                           Boolean onlyTopGroups)
          Description copied from interface: GroupProvider
          Returns a number of groups/top level groups (i.e. groups without parent group) for the given realm.
          Specified by:
          getGroupsCount in interface GroupProvider
          Specified by:
          getGroupsCount in interface RealmProvider
          Parameters:
          realm - Realm.
          onlyTopGroups - When true the function returns a count of top level groups only.
          Returns:
          Number of groups/top level groups.

        • getGroupsByRoleStream

          public Stream<GroupModel> getGroupsByRoleStream​(RealmModel realm,
                                                RoleModel role,
                                                Integer firstResult,
                                                Integer maxResults)
          Description copied from interface: GroupProvider
          Returns groups with the given role in the given realm.
          Specified by:
          getGroupsByRoleStream in interface GroupProvider
          Parameters:
          realm - Realm.
          role - Role.
          firstResult - First result to return. Ignored if negative or null.
          maxResults - Maximum number of results to return. Ignored if negative or null.
          Returns:
          Stream of groups with the given role. Never returns null.

        • getTopLevelGroupsStream

          public Stream<GroupModel> getTopLevelGroupsStream​(RealmModel realm)
          Description copied from interface: GroupProvider
          Returns all top level groups (i.e. groups without parent group) for the given realm.
          Specified by:
          getTopLevelGroupsStream in interface GroupProvider
          Parameters:
          realm - Realm.
          Returns:
          Stream of all top level groups in the realm. Never returns null.

        • getTopLevelGroupsStream

          public Stream<GroupModel> getTopLevelGroupsStream​(RealmModel realm,
                                                  Integer first,
                                                  Integer max)
          Description copied from interface: GroupProvider
          Returns top level groups (i.e. groups without parent group) for the given realm.
          Specified by:
          getTopLevelGroupsStream in interface GroupProvider
          Parameters:
          realm - Realm.
          first - First result to return. Ignored if negative or null.
          max - Maximum number of results to return. Ignored if negative or null.
          Returns:
          Stream of top level groups in the realm. Never returns null.

        • searchForGroupByNameStream

          public Stream<GroupModel> searchForGroupByNameStream​(RealmModel realm,
                                                     String search,
                                                     Integer first,
                                                     Integer max)
          Description copied from interface: GroupLookupProvider
          Returns the group hierarchy with the given string in name for the given realm. For a matching group node the parent group is fetched by id (with all children) and added to the result stream. This is done until the group node does not have a parent (root group)
          Specified by:
          searchForGroupByNameStream in interface GroupLookupProvider
          Parameters:
          realm - Realm.
          search - Case sensitive searched string.
          first - First result to return. Ignored if negative or null.
          max - Maximum number of results to return. Ignored if negative or null.
          Returns:
          Stream of root groups that have the given string in their name themself or a group in their child-collection has. The returned hierarchy contains siblings that do not necessarily have a matching name. Never returns null.

        • searchForGroupByNameStream

          public Stream<GroupModel> searchForGroupByNameStream​(RealmModel realm,
                                                     String search,
                                                     Boolean exact,
                                                     Integer firstResult,
                                                     Integer maxResults)
          Description copied from interface: GroupLookupProvider
          Returns the group hierarchy with the given string in name for the given realm. For a matching group node the parent group is fetched by id (with all children) and added to the result stream. This is done until the group node does not have a parent (root group)
          Specified by:
          searchForGroupByNameStream in interface GroupLookupProvider
          Parameters:
          realm - Realm.
          search - Case sensitive searched string.
          exact - Boolean which defines wheather search param should be matched exactly.
          firstResult - First result to return. Ignored if negative or null.
          maxResults - Maximum number of results to return. Ignored if negative or null.
          Returns:
          Stream of root groups that have the given string in their name themself or a group in their child-collection has. The returned hierarchy contains siblings that do not necessarily have a matching name. Never returns null.

        • searchGroupsByAttributes

          public Stream<GroupModel> searchGroupsByAttributes​(RealmModel realm,
                                                   Map<String,​String> attributes,
                                                   Integer firstResult,
                                                   Integer maxResults)
          Description copied from interface: GroupLookupProvider
          Returns the groups filtered by attribute names and attribute values for the given realm.
          Specified by:
          searchGroupsByAttributes in interface GroupLookupProvider
          Parameters:
          realm - Realm.
          attributes - name-value pairs that are compared to group attributes.
          firstResult - First result to return. Ignored if negative or null.
          maxResults - Maximum number of results to return. Ignored if negative or null.
          Returns:
          Stream of groups with attributes matching all searched attributes. Never returns null.

        • removeGroup

          public boolean removeGroup​(RealmModel realm,
                           GroupModel group)
          Description copied from interface: GroupProvider
          Removes the given group for the given realm.
          Specified by:
          removeGroup in interface GroupProvider
          Specified by:
          removeGroup in interface RealmProvider
          Parameters:
          realm - Realm.
          group - Group.
          Returns:
          true if the group was removed, false if group doesn't exist or doesn't belong to the given realm

        • createGroup

          public GroupModel createGroup​(RealmModel realm,
                              String id,
                              String name,
                              GroupModel toParent)
          Description copied from interface: GroupProvider
          Creates a new group with the given name, id, name and parent to the given realm.
          Specified by:
          createGroup in interface GroupProvider
          Specified by:
          createGroup in interface RealmProvider
          Parameters:
          realm - Realm.
          id - Id, will be generated if null.
          name - Name.
          toParent - Parent group, or null if the group is top level group
          Returns:
          Model of the created group

        • searchClientsByClientIdStream

          public Stream<ClientModel> searchClientsByClientIdStream​(RealmModel realm,
                                                         String clientId,
                                                         Integer firstResult,
                                                         Integer maxResults)
          Description copied from interface: ClientLookupProvider
          Case-insensitive search for clients that contain the given string in their public client identifier.
          Specified by:
          searchClientsByClientIdStream in interface ClientLookupProvider
          Parameters:
          realm - Realm to limit the search for clients.
          clientId - Searched substring of the public client identifier (client_id in OIDC or entityID in SAML.)
          firstResult - First result to return. Ignored if negative or null.
          maxResults - Maximum number of results to return. Ignored if negative or null.
          Returns:
          Stream of ClientModel or an empty stream if no client is found. Never returns null.

        • getClientByClientId

          public ClientModel getClientByClientId​(RealmModel realm,
                                       String clientId)
          Description copied from interface: ClientLookupProvider
          Exact search for a client by its public client identifier.
          Specified by:
          getClientByClientId in interface ClientLookupProvider
          Parameters:
          realm - Realm to limit the search for clients.
          clientId - String that identifies the client to the external parties. Maps to client_id in OIDC or entityID in SAML.
          Returns:
          Model of the client, or null if no client is found.

        • addClientScope

          public ClientScopeModel addClientScope​(RealmModel realm,
                                       String name)
          Description copied from interface: ClientScopeProvider
          Creates new client scope with given name to the given realm. Spaces in name will be replaced by underscore so that scope name can be used as value of scope parameter. The internal ID will be created automatically.
          Specified by:
          addClientScope in interface ClientScopeProvider
          Parameters:
          realm - Realm owning this client scope.
          name - String name of the client scope.
          Returns:
          Model of the created client scope.

        • addClientScope

          public ClientScopeModel addClientScope​(RealmModel realm,
                                       String id,
                                       String name)
          Description copied from interface: ClientScopeProvider
          Creates new client scope with given internal ID and name to the given realm. Spaces in name will be replaced by underscore so that scope name can be used as value of scope parameter.
          Specified by:
          addClientScope in interface ClientScopeProvider
          Parameters:
          realm - Realm owning this client scope.
          id - Internal ID of the client scope or null if one is to be created by the underlying store
          name - String name of the client scope.
          Returns:
          Model of the created client scope.

        • removeClientScope

          public boolean removeClientScope​(RealmModel realm,
                                 String id)
          Description copied from interface: ClientScopeProvider
          Removes client scope from the given realm.
          Specified by:
          removeClientScope in interface ClientScopeProvider
          Parameters:
          realm - Realm.
          id - Internal ID of the client scope
          Returns:
          true if the client scope existed and has been removed, false otherwise.

        • addClientScopes

          public void addClientScopes​(RealmModel realm,
                            ClientModel client,
                            Set<ClientScopeModel> clientScopes,
                            boolean defaultScope)
          Description copied from interface: ClientProvider
          Assign clientScopes to the client. Add as default scopes (if parameter 'defaultScope' is true) or optional scopes (if parameter 'defaultScope' is false)
          Specified by:
          addClientScopes in interface ClientProvider
          Parameters:
          realm - Realm.
          client - Client.
          clientScopes - to be assigned
          defaultScope - if true the scopes are assigned as default, or optional in case of false

        • getClientScopes

          public Map<String,​ClientScopeModel> getClientScopes​(RealmModel realm,
                                                          ClientModel client,
                                                          boolean defaultScopes)
          Description copied from interface: ClientLookupProvider
          Return all default scopes (if defaultScope is true) or all optional scopes (if defaultScope is false) linked with the client
          Specified by:
          getClientScopes in interface ClientLookupProvider
          Parameters:
          realm - Realm
          client - Client
          defaultScopes - if true default scopes, if false optional scopes, are returned
          Returns:
          map where key is the name of the clientScope, value is particular clientScope. Returns empty map if no scopes linked (never returns null).