Answering to my own questions:
The missing piece of information was that to make a Dynamic Scopes custom script work, not only does it have to be enabled in the _Manage Custom Scripts_ interface (check box), but also
- a scope has to be defined in the _OpenID Connect Scopes_ interface
- that scope should have _Scope Type_ **Dynamic** (menu)
- the dynamic script should be linked to that scope (_Add dynamic script_ button)
And of course the scope should be allowed for the client in the _OpenID Connect Update Client_ interface (_Add Scope_ button),
and the scope should be requested by the client (e.g. to test with oxauth_rp, add it manually to the _Scope_ list in the _Token Endpoint_ part.
When all this is fine, then one does see the messages printed by the _udpdate_ method of the script in ```oxauth_script.log``` and the dynamic claims are added to the _id_token_ and _userinfo_ responses.
Suggestions:
Add a pointers in the custom scripts section to point to the scopes section and reciprocally:
- [https://gluu.org/docs/ce/3.0.1/admin-guide/custom-script/#dynamic-scopes](https://gluu.org/docs/ce/3.0.1/admin-guide/custom-script/#dynamic-scopes)
- [https://gluu.org/docs/ce/3.0.1/admin-guide/openid-connect/#scopes](https://gluu.org/docs/ce/3.0.1/admin-guide/openid-connect/#scopes)
It may seem obvious, but such a back pointer would have saved me hours of useless trials.
Such a back reference could also be shown in the Dynamic Scopes scripts interface (i.e. which scopes are using the script).