Moreover, UserInfo must be restricted based on Access Token scopes. For example access token produced by refresh flow with scope parameter.
I have implemented it by filtering default Client scopes based on access token scope. If you have another idea , we could discuss it.

I have rebase it to main.

I would like to mention that based on documentation only access token scopes are filtering based on scope parameter. Refresh token scope - if must be returned - are not changed.

Could you review the PR in order Keycloak to be compliant with OAuth refresh token flow?

@cgeorgilakis Sorry for late response. Thanks for this PR! Added few minor comments inline.

Could you please also rebase this PR on top of latest main? This should also trigger the GH actions build.

I will make corrections and rebase. I will only do it next week due to conference participation.

@cgeorgilakis Thanks, much better now. I've added 2 minor comments regarding tests. One is follow-up of your previous change. Second is something I overlooked before...

There is also DCO check failing in your PR. This is new check added recently to Keycloak due CNCF requirements about adding signatures to the commits. See https://github.com/keycloak/keycloak/blob/main/CONTRIBUTING.md#developers-certificate-of-origin . Is it possible to squash commits in this PR and make sure that your signature is added?

Of course, I will do it before merging. Could you see my last changes and comments before proccessing to this?

@cgeorgilakis Thanks for your latest changes. It seems that if you squash the commits and add the signature to fix DCO, we should be good.

@cgeorgilakis Thanks for your latest changes. It seems that if you squash the commits and add the signature to fix DCO, we should be good.

Done.