JWT Access token does not contain requested claims when using SAML2 Bearer Grant

[ashendes]

Describe the issue: When using SAML2 Bearer Grant, the access token obtained does not contain the requested claims. But the ID token that is subsequently returned contains all the claims. This is because the user is being treated as a federated user when using the SAML2 bearer grant, and claims for federated users are expected to be in the cache when the token is being created [1]. After the access token is created, the claims are added to the cache, hence they are available for the ID token when it is being built. This is not consistent with other OAuth/OIDC grants as they return all the requested claims even in the access token. Therefore, this disparity needs to be fixed.

How to reproduce:

1. Enable SAML2 bearer grant in travelocity app.
2. Register SPs for SAML (Travelocity) and OAuth as a client for the bearer grant.
3. Add requested claims to the Claim Configuration of the SPs.
4. Login to travelocity and request OAuth2 Access token.
5. Decode Access token and observe claims. Compare with claims returned in the SAML response as well.

Expected behavior: All requested claims should be available in the access token.

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/f256fde3c79404704dc829ccc8a134174898641f/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/DefaultOIDCClaimsCallbackHandler.java#L142