We have a system in place where a user is granted API access tokens for a project. These tokens can also have permissions associated with them (it could be as simple as read/write or read-only). In any case, if we migrate to SSO with OIDC, I'm not sure how best to re-implement such a solution.

Should it even be a concern of the OIDC system? If so, is it something that's being considered as a Keycloak feature? For example, GitHub allows tokens to be generated and used in place of a password to access their OAuth 2.0 API.

Thanks,

Scott