Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

With my PR, Keycloak now supports scope parameter in the refresh flow .
However, I have not added a fix that I have found after committed my PR.

Refresh token scopes (if it must be returned) and client session scopes must not be changed.
From Section 6 in OAuth2 RFC

If a
new refresh token is issued, the refresh token scope MUST be
identical to that of the refresh token included by the client in the
request.

This bug in accepted PR leads to issues like #27878.

However, the accepted PR for fixing previous issue brings the specification!
Although offline_access scope is not in scope parameter, it returns it in access scope!
Together with the fact that this PR does not guarantee same refresh token scopes.

I will commit a new PR for fixing the bug.

Version

24.0.2

Regression

• The issue is a regression

Expected behavior

1. Refresh token scopes must be equal to old refresh token scopes during refresh token flow.
2. offline_access must not returned in access scope during a refresh token scope with offline_access existing in refresh flow and not existing in scope parameter

Actual behavior

1. Refresh token scopes is not equal to old refresh token scopes during refresh token flow when scope parameter with less scope is requested.
2. offline_access is returned in access scope during a refresh token scope with offline_access existing in refresh flow and not existing in scope parameter

How to Reproduce?

Do a refresh flow with offline_access exists in refresh token scope and not exists in r=scope parameter.
Client must return refresh token

Anything else?

No response