[keycloak-user] Use OIDC Scope to limit the roles included in Offline Token and/or to enforce separation of duties?

Suppose there are some limited families of APIs to which we would want users to explicitly delegate access. We were thinking we could assign a role to the user that allows the use of each of the families of APIs (say for example that with the "quantum_singularity" role, they can use the "tetrion_emission" APIs, and with the "borg_cube" role, they can use the "culture_assimilation" APIs). Can we (and if so, how best would we) use openid scope to * Offline refresh tokens - Allow the user to delegate a 3rd-party app to act on their behalf in an offline fashion that is limited to one, the other, or both of the quantum_singularity and/or borg_cube roles? * Separation of duties - (only partially-related question) Allow an app to enforce separation of duties such that an online, logged-in user can only have one or the other, but not both of the quantum_singularity and/or borg_cube roles for the duration of a session? I think I gathered from this thread in keycloak-dev (http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that these things should be possible, but I was hoping to confirm and to get pointers to docs with practical guidance for how best to do these two things. Thanks! Regards, Peter K. Boucher