We currently have a few clients in a tenant, and have up until now been using CLIENT X. We have set up roles via the Authorization Extension and all of the correct scopes for a user get returned when the user logs in, eg: openid profile read:dashboard read:login
However, we are now needing to change the client we are using to CLIENT Y. We have setup everything for this client EXACTLY the same as the first and created an identical role, but for this client, and assigned it to the same user, using the same Audience.
The problem is, we now get all of the scopes assigned to THE API, not scopes specific to this role eg: openid profile read:login read:myaccount read:dashboard. So this includes read:myaccount, which it should not.