Asp.Net Core OAuth2 Strip token of claims or Request new token

IIndeed 🐸9/18/2022
I am trying to prevent sending unnecessary tokens to WebApi however I find it hard to do.
I am using Duende.IdentityServer package

These are approaches i am considering.
-To either strip a token of unnecessary claims if it's possible
-or ask for a new token however I do not believe i have access to the code from authorizationcodeflow to request a new token. Having tried to use ClientCredentials Flow I've failed whenever ive asked for user specific information like "role" or even their id using "openid" scope
IIndeed 🐸9/18/2022
Having tried Implicit Flow I get
IIndeed 🐸9/18/2022
IIndeed 🐸9/18/2022
for "APIScope roles"
IIndeed 🐸9/18/2022
IIndeed 🐸9/18/2022
for "APIScope roles openid"
IIndeed 🐸9/18/2022
      new() {
        ClientId = "POSTMAN",
        ClientSecrets = {new Secret("POSTMAN".Sha256())},

        AllowedGrantTypes = GrantTypes.Implicit,

        // where to redirect to after login
        RedirectUris = {""},

        // where to redirect to after logout
        PostLogoutRedirectUris = {$"{IpAddresses.MVCServer}/signout-callback-oidc"},

        AllowedScopes = new List<string> {
        RequirePkce = false,
        AllowPlainTextPkce = false,
        AllowAccessTokensViaBrowser = true
IIndeed 🐸9/18/2022
  public static IEnumerable<IdentityResource> IdentityResources =>
    new IdentityResource[] {
      new IdentityResources.OpenId(),
      new IdentityResources.Profile(),

  public static IEnumerable<ApiScope> ApiScopes =>
    new[] {Scopes.ApiScope};
IIndeed 🐸9/18/2022
IIndeed 🐸9/18/2022
ClientCredentials Scope is for Machine-Machine call so it can't transfer user information