I think this is more about tokenless authentication than about external vs mapped X.509 authentication. We allow setting scope with tokenless auth:
https://opendev.org/openstack/keystone/src/commit/71a1fb0437cdb5949d808ba82e36f4586ec7794d/keystone/common/tokenless_auth.py#L48
but I don't see why it should work differently than setting scope for a token request, and if it does need to be different then the requirement to pass the scope in the request body should be relaxed.
I think this is more about tokenless authentication than about external vs mapped X.509 authentication. We allow setting scope with tokenless auth:
https:/ /opendev. org/openstack/ keystone/ src/commit/ 71a1fb0437cdb59 49d808ba82e36f4 586ec7794d/ keystone/ common/ tokenless_ auth.py# L48
but I don't see why it should work differently than setting scope for a token request, and if it does need to be different then the requirement to pass the scope in the request body should be relaxed.