Description

This task is about filtering the scopes in the newly issued token based on the requested audience and the client roles associated with the requested scope.

The idea is to not include scopes in the exchanged token that are linked to client roles belonging to a client that is omitted in the aud token-exchange request parameter.

Example:

Following the names used in the example from the document, when making a token exchange request with scope=optional-scope2 and audience=target-client1, since optional-scope2 is mapped with target-client2-role (which is a client role of target-client2), the scope optional-scope2 should not be included in the token, like resource access roles of target-client2 are not included.

Implementation Details:

Starting from DefaultClientSessionContext.isClientScopePermittedForUser(), the filtering logic could be extended to filter client roles belonging to clients requested in the audience parameter of the token exchange request.