According to the official API documentation (Authentication API Explorer), we should be able to authorise with a set of scopes, and then use the returned refresh token to retrieve an access token with a sub-set of those scopes.
Unfortunately my experimentation with the library suggests it does not support this use-case (when using the refreshTokens option, anyway). If I pass a set of scopes in when I create the client, then supply a restricted set of scopes in the call to getAccessTokenSilently, the token returned is the same for all sub-sets of scopes.
I suspect the client scopes are acting as global scopes, which is not what I want, given the principal of lowest required privilege.
If I avoid using the refreshToken option, and don’t provide the scopes to the client, then things work as expected in browsers that support third party cookies. Unfortunately this is not really an option for us, as we need to support most major browsers, and would prefer to stay away from the custom domain workaround, if possible.
Is there any way I can use this library to retrieve a different set of scopes for different APIs that my web app needs to call, or do I need to roll my own implementation?