Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

Before Keycloak 24 (for example 23.0.7) it was possible to request scopes when doing a token exchange. For example it was possible to request a token with scope offline_access. Since Keycloak 24 the requested scopes get discarded when the original access token does not contain them.

This may be related to the changes from #21638 (Changes from #24323 or #12043 are also partially related, but not directly since those are about refresh-token handling for OAuth2 protocol and hence unrelated to token exchange)

Version

24.0.4

Regression

• The issue is a regression

Expected behavior

Obtained token from token exchange should contain scope offline_access.

Actual behavior

Token contains only the scopes that the original token before the token exchange had, in this example only openid.

How to Reproduce?

1.) Obtain an access token with scope openid

curl -i -X POST \
  -H "Content-Type:application/x-www-form-urlencoded" \
  -d "grant_type=password" \
  -d "username=my-user" \
  -d "password=my-password" \
  -d "scope=openid" \
  -d "client_id=testclient" \
'https://my-keycloak.org/auth/realms/acme/protocol/openid-connect/token'

2.) Exchange token, i.e. with additional scope offline_access

curl -i -X POST \
  -H "Content-Type:application/x-www-form-urlencoded" \
  -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
  -d "subject_token=my-token" \
  -d "audience=my-audience" \
  -d "scope=offline_access" \
  -d "client_id=testclient" \
'https://my-keycloak.org/auth/realms/acme/protocol/openid-connect/token'

The resulting token since Keycloak 24 only contains the scope openid but not offline_access. Keycloak 23 contained both scopes in the resulting token.

Anything else?

No response