Say I have scopes foo:bar and foo:baz. I would like a token that gets populated with the appropriate scope based on the user (say Alice -> foo:bar and Bob -> foo:baz) and I would like to only have to request this token once. But I can't seem to get this to work with Okta. Here are options I've considered:

1. When I issue the token request, I don't know the user, so I cannot change the scope requested.
2. I can first request a token without the scopes above, then when I get the token back, issue another token request because I now know the user and can figure out whether it's foo:bar or foo:baz I want. This creates two tokens when I'd only want one.
3. The OAuth spec seems to indicate that it is possible for the client to request a scope and for the server to return a different scope than requested. I was wondering if it is possible to define something like foo:all and have the auth server return a different scope based on who the user is. I don't see a way to do this in Okta as the access policy checks for a specific scope but provides no options to modify it.
4. Then, I thought maybe I could use default scopes to do this. While this allows me to give Alice and Bob the appropriate scopes, it does not allow me to return any of the other OIDC scopes as part of the token request, as those are not default.

I briefly looked into inline hooks and assume that will probably give me the power I need to modify the scopes associated with the token that is requested, but would like to avoid having to implement such a heavyweight response if possible, hence this post. If anyone has any guidance on the recommended way to go about this, please enlighten me. Thanks!