Description

Keycloak must take into account scope parameter - if it exists - in the request flow.

The scope parameter MUST NOT include any scope not supported by client as in other oauth flows.
New access token scope will contain assigned default client scopes plus the section of scope parameter ( if exists), scope of refresh flow and assigned client scopes.

Moreover, according to Section 6 in OAuth2 RFC:

If a new refresh token is issued, the refresh token scope MUST be
identical to that of the refresh token included by the client in the
request.

Discussion

No response

Motivation

Although request flow is implemented in Keycloak, Keycloak does not take into account scope parameter.

According to Section 6 in OAuth2 RFC:

scope
OPTIONAL. The scope of the access request as described by
Section 3.3. The requested scope MUST NOT include any scope
not originally granted by the resource owner, and if omitted is
treated as equal to the scope originally granted by the
resource owner.

Details

No response