Scope Narrowing Access Token with Refresh token

Hello Keycloakers, I have recently picked up the oauth2 spec and decided to use keycloak as an auth server. I am facing difficulties in a certain aspect. I want to be able to request multiple access tokens with narrow scope when a user is first authenticated or whenever one of those narrowed tokens expires. This is due to the fact that i want a level of isolation between the different resource servers which are going to receive the tokens. I.e avoid one resource server receiving token with too much privileges (full scope).
So I read in the oauth2 spec that the refresh token endpoint can be used to retrieve a token with a narrower scope. At the moment when ever a user authenticates a refresh and access token with full scope are generated (but they are not used for communication). I imagined that i can use the issued refresh token to generate a couple of new narrower access tokens which are going to be used against the resource servers. But whenever i call the /token endpoint with grant type refresh_token, and even include the scope with the request I still receive an access token with the same full scope. I do know that the refresh token also contains a list of the initial requested scopes (in this case the full scopes) And i was wondering if the scopes in the refresh token somehow override keycloak’s descision when i request a narrower scope in the /token request POST payload.

Excerpt from rfc6749 - https://tools.ietf.org/html/rfc6749

Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). Issuing a refresh token is optional at the discretion of the
authorization server. If the authorization server issues a refresh
token, it is included when issuing an access token (i.e., step (D) in
Figure 1).

Any help would be greatly appreciated.

Is this forum dead, or noone is aware of this problem ?

Bumping this post since it is still unresolved

I have recently came across the same issue with Keycloak 17.0.0. Setting a scope with the /token endpoint while grant_type=refresh_token has no effect - the parameter is ignored no matter the value. I would like to use this to narrow the scope of the returned access token.
Are there any updates? Can anyone acknowledge whether this is an issue or simply a different interpretation of the RFC?

I have just come across the same issue with Keycloak 15.1.1. I need to narrow down the scopes of both refresh and access tokens.
I am aware that rfc6749 doesn’t say anything about narrowing down of the refresh token scope, because “issuing a refresh token is optional at the discretion of the authorization server”, but in my opinion at least “obtain access tokens with identical or narrower scope” should be implemented for conformance with rfc6749.