Description

In Oauth token exchange (oidc to oidc client in Keycloak), scope parameter is optional.
Now keycloak set as access token scope the requested scope query parameter . This is wrong. Keycloak must return as scope the Cartesian product of scope parameter and scope of access token,
From documentation :

When requesting a token, the client can indicate the desired target service(s) where it intends to use that token by way of the audience and resource parameters as well as indicate the desired scope of the requested token using the scope parameter. The semantics of such a request are that the client is asking for a token with the requested scope that is usable at all the requested target services. Effectively, the requested access rights of the token are the Cartesian product of all the scopes at all the target services.

Discussion

No response

Motivation

Support scope parameter of Oauth 2.0 token exchange

Details

No response