Segregate client and service account scopes

Hi all!

I am looking for a way to have a different list of scopes available for users and service accounts. In my case, I have a lot of different resources (let’s say ‘user’, ‘account’, ‘device’, and ‘note’).

Here I need to allow users to CRUD their devices and notes but prevent editing their account details. Moreover, I want to allow clients to take care of their users and accounts but not to interact with user’s devices, etc.

The final goal here is to allow the client to authorize against Keycloak with its credential and gain a service account access token with ‘scope=account user’ and in addition to that to allow the user to gather its access token only with ‘scope=device note’.

I think that a user-based goal could be achieved via the client’s scopes but I don’t have any ideas on how to make it work with the service account.

Thank you in advance for any help provided!

PS: if it is already described somewhere - I would be thankful for the link!