[keycloak-user] Authorization returning less scopes than requested

[luke at code-house.org]

Hey,
At the beginning, I would like to say thank you, for delivering such great software, and also people who read this message for handling community support. :-)

I come into key cloak because I do need two functionalities of it - oidc provider and also identity broker. I do integrate with services which have predefined set of scopes. My application can request multiple scopes such "patient/*.write” (write data related to patient), however user or system where authentication takes place, may decide to grant lower access than requested.
For example above patient write scope request might be constrained to "patient/*.read" or even subset of that "patient/Patient.read” (patient demographics). Reason why it might happen depends on few things - because user who decides to unmark these on consent page or it might not be allowed by system. In second case user will not be even asked about giving such permission to his data.

>From logical point of view, as long as authorisation request ends up with token grant, these are still proper tokens which application must handle. Question is - is such use case is supported by Keycloak?
Also, how should I map such wildcard scopes in keycloak?

Second use case, which I have, is similar to first one. Main difference is that it must be implemented on key cloak authorisation part - when user application requests access token, it sends two scopes, lets call them “user" and "patient”. Because application doesn’t know actual permissions of the user, it can not decide which scopes should be used. We theoretically could work around that with two login pages resulting in different scope requests. However, our intention is to implement this on keycloak side - based on our own logic we will know what is role of given user and which scope is permitted. Biggest question - which extension point, if any available, we could use for that?

Kind regards,
Łukasz