When creating an ID Token for a user following the spec for Resource Owner Password I’m finding that the “scopes” property of the request is not being respected. In the following snippet, I’d expect the server to return a token with only the requested scope, and instead I’m getting a token with a bunch of extra scopes that I do not want for security reasons.
Be default for resource owner password credentials flow the authorization server issues access tokens with all OIDC scopes granted independently of the exact set of OIDC scopes requested by the client. The OIDC scope parameter is used per OAuth 2.0 rules and from that specification the authorization server may ignore the actual requested scopes and issue scopes according to the server policy and in this particular case it’s what happens.
In other words, when using ROPC, by default the issued OIDC scopes will be all of them; if you really require to issue an access token with a different set of scopes for this grant you may implement a custom rule that sets context.accessToken.scope. For example, context.accessToken.scope = "openid"; would always issue only that scope, however, given rules run for all aplications and end-user login flows you would likely need to wrap this statement under conditional logic.
In addition, an access token may also be requested for a custom API and that API could have their own set of scopes so having a statement like the previous one would also prevent any API custom API scopes from being issued which may not be what you want. In conclusion, if you choose to control scopes through rules you need to be very careful with the conditional and scope setting logic so that you ensure you don’t affect other flows.