Hello. I've investigated into keycloak to find out whether it completely conforms to Financial API Read Only Profile Requirements for Authorization Server and found that it does not satisfy only one point. Therefore, I've implemented this point, namely always including OAuth scope in the response from Token Endpoint. Financial API is API's security requirement for API services in financial sector. It is specified by OpenID Foundation. http://openid.net/wg/fapi/ Financial API Read Only Profile Requirements for Authorization Server is the following. http://openid.net/specs/openid-financial-api-part-1.html#authorization-se... * shall return the list of allowed scopes with the issued access token; is met by this PR. https://github.com/keycloak/keycloak/pull/4527 Hope this PR is reviewed and merged. Best Regards Takashi Norimatsu Hitachi, Ltd.