How to add arbitrary values to Token "scope" attribute


Im looking into implementing a OIDC health care spec using Keycloak. The requirements of the spec suggest that I should be able to insert user permission scopes into the tokens “scope” attribute.

See the Health Relationship Trust Profile for Fast Healthcare Interoperability Resources (FHIR) OAuth 2.0 Scopes for an example of a token response with the “scope” parameter including custom scopes. I want to insert permissions like these into the Keycloak Token response dynamically during an authentication workflow (e.g. Custom Auth Step), but am unsure of how to do so.

HTTP/1.1 200 OK
Date: Tue, 16 Dec 2014 03:00:14 GMT
Access-Control-Allow-Origin: *
Content-Type: application/json;charset=ISO-8859-1
Connection: close

   "access_token": "eyJhbGci...LWJu9grrA",
   "scope": "patient/*.* sens/ETH sens/PSY btg",
   "token_type": "Bearer",
   "aud": "",
   "rec": ""

I also notice there is code which seems to prevent using protocol mappers to map values into scope.

See code in #L131 (I cant link to it as Im a new discord user and can only include two links)

Ideally, I could interact with the ClientSessionContext and do something that influences the “scope” string? See below.

Ive also reviewed this thread “how-to-add-value-to-the-jwt-tokens-scope-attribute/950” which seems like a last resort