yeah, the granted scopes are part of the id tokens, so they're visible from the requesting application.
They could theoretically be hidden by encrypting the bearer_token itself (thats part of the standard already, though few seem to actually do it atm) and omitting them in the id_token, but omitting it would to my knowledge be in violation of the standard
the scope mechanic would have to be reworked altogether if this feature has any chance of actually achieving the desired effect, so a scope can only be granted for n-minutes or something. But that would make a lot of good use-cases borderline impossible (i.e. the previously mentioned alternative frontends for popular pages).
Its really hard without revamping the oidc standard altogether, but thats unlikely to happen as well.
Good authentication/authorization is just super hard and continues to be unsolved, especially if untrusted entities are involved.
the scope mechanic would have to be reworked altogether if this feature has any chance of actually achieving the desired effect, so a scope can only be granted for n-minutes or something. But that would make a lot of good use-cases borderline impossible (i.e. the previously mentioned alternative frontends for popular pages).
Its really hard without revamping the oidc standard altogether, but thats unlikely to happen as well. Good authentication/authorization is just super hard and continues to be unsolved, especially if untrusted entities are involved.