Is your feature request related to a problem? Please describe.

Migrating from Keycloak requires flexible token customization capabilities

Describe the solution you'd like

To keep it flexible, yet lightweight, I am thinking of having a jsonnet snippet as part of a client description. It will be given some rich enough context as an input and would produce additional fields to be added to a token.

Example of jsonnet snippet configured for the client:

{ 
  scopes: ctx.accessRequest.granedScopes,   //
  roles: ctx.metadata.roles // client's metadata object is injected as part of context  
}

At the start, snippet wont be able to alter any existing properties, only introduce new ones.

Describe alternatives you've considered

Additional context

I am mainly focusing on client_credentials grant for issuing tokens for service to service communication.

How does it fit into token introspect for non-JWT tokens?

I'll be able to work on this feature provided we agree on design details upfront