I've investigated into keycloak to find out whether it completely conforms to
Financial API Read Only Profile Requirements for Authorization Server and found that it
does not satisfy only one point.
Therefore, I've implemented this point, namely always including OAuth scope in the
response from Token Endpoint.
Financial API is API's security requirement for API services in financial sector.
It is specified by OpenID Foundation.
Financial API Read Only Profile Requirements for Authorization Server is the following.
* shall return the list of allowed scopes with the issued access token;
is met by this PR.
Hope this PR is reviewed and merged.