Scope Narrowing Access Token with Refresh token

Hello Keycloakers, I have recently picked up the oauth2 spec and decided to use keycloak as an auth server. I am facing difficulties in a certain aspect. I want to be able to request multiple access tokens with narrow scope when a user is first authenticated or whenever one of those narrowed tokens expires. This is due to the fact that i want a level of isolation between the different resource servers which are going to receive the tokens. I.e avoid one resource server receiving token with too much privileges (full scope).
So I read in the oauth2 spec that the refresh token endpoint can be used to retrieve a token with a narrower scope. At the moment when ever a user authenticates a refresh and access token with full scope are generated (but they are not used for communication). I imagined that i can use the issued refresh token to generate a couple of new narrower access tokens which are going to be used against the resource servers. But whenever i call the /token endpoint with grant type refresh_token, and even include the scope with the request I still receive an access token with the same full scope. I do know that the refresh token also contains a list of the initial requested scopes (in this case the full scopes) And i was wondering if the scopes in the refresh token somehow override keycloak’s descision when i request a narrower scope in the /token request POST payload.

Excerpt from rfc6749 -

Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). Issuing a refresh token is optional at the discretion of the
authorization server. If the authorization server issues a refresh
token, it is included when issuing an access token (i.e., step (D) in
Figure 1).

Any help would be greatly appreciated.

1 Like

Is this forum dead, or noone is aware of this problem ?

Bumping this post since it is still unresolved

I have recently came across the same issue with Keycloak 17.0.0. Setting a scope with the /token endpoint while grant_type=refresh_token has no effect - the parameter is ignored no matter the value. I would like to use this to narrow the scope of the returned access token.
Are there any updates? Can anyone acknowledge whether this is an issue or simply a different interpretation of the RFC?