Retain access token scope from the authorization code flow response #48152
Description
Description
Currently, the access token scope returned in the authorization code flow response is not recorded anywhere, primarily because the access token is forwarded to the downstream service by default, and because the access token in the JWT format has a scope claim, or if it is a binary token, then it can be found in the introspection response.
However for providers like GiitHub, the scope property in the authorization code flow response is the only way to get to the access token scope. GitHub tokens are meant to be used for accessing GitHub API where the token scopes will be verified, but in Quarkus OIDC, once can configure that the access token can act as a source of roles (and permissions) to access the current endpoint.
This is also supported by Vert.x OIDC, which is when I noticed we don't record this scope property.
I'd have marked this issue as a bug if it were not the case that GitHub tokens are indeed meant to access GitHub API.
Either way, retaining the access token scope from the authorization code flow response should be supported, for users be able to analyze at some point what is the actual access token scope, compared to the requested scope, especially when the access token is binary
Implementation ideas
No response