Hello Keycloakers, I have recently picked up the oauth2 spec and decided to use keycloak as an auth server. I am facing difficulties in a certain aspect. I want to be able to request multiple access tokens with narrow scope when a user is first authenticated or whenever one of those narrowed tokens expires. This is due to the fact that i want a level of isolation between the different resource servers which are going to receive the tokens. I.e avoid one resource server receiving token with too much privileges (full scope).
So I read in the oauth2 spec that the refresh token endpoint can be used to retrieve a token with a narrower scope. At the moment when ever a user authenticates a refresh and access token with full scope are generated (but they are not used for communication). I imagined that i can use the issued refresh token to generate a couple of new narrower access tokens which are going to be used against the resource servers. But whenever i call the /token endpoint with grant type refresh_token, and even include the scope with the request I still receive an access token with the same full scope. I do know that the refresh token also contains a list of the initial requested scopes (in this case the full scopes) And i was wondering if the scopes in the refresh token somehow override keycloak’s descision when i request a narrower scope in the /token request POST payload.
Excerpt from rfc6749 - https://tools.ietf.org/html/rfc6749
Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
becomes invalid or expires, or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). Issuing a refresh token is optional at the discretion of the
authorization server. If the authorization server issues a refresh
token, it is included when issuing an access token (i.e., step (D) in
Figure 1).
Any help would be greatly appreciated.