Deploying to main from @ 93b44449fe81ba83827bb386192bf37623d97fe7 🚀

Author: ahus1

extensions.html

@@ -402,7 +402,7 @@ <h5 class="card-title">MFA Plugin collection</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span>223 stars</span>
+                                        <span>224 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -419,7 +419,7 @@ <h5 class="card-title">Magic Link Login</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span>349 stars</span>
+                                        <span>350 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -640,7 +640,7 @@ <h5 class="card-title">privacyIDEA two factor authentication</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span>106 stars</span>
+                                        <span>107 stars</span>
                                     </div>
                                 </div>
                         </div>
@@ -781,7 +781,7 @@ <h5 class="card-title">Metrics SPI</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span>605 stars</span>
+                                        <span>606 stars</span>
                                     </div>
                                 </div>
                         </div>

nightly/securing-apps/token-exchange.html

@@ -356,6 +356,18 @@ <h3 id="_standard-token-exchange-scope"><a class="anchor" href="#_standard-token
 </tr>
 </table>
 </div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-note" title="Note"></i>
+</td>
+<td class="content">
+By default, token exchange can be used to request extra scopes and audiences that are not present in the initial <code>subject_token</code>. If, for security reasons, you want to ensure that scopes are limited to the ones already granted to the <code>subject_token</code>, the <code>downscope-assertion-grant-enforcer</code> policy executor can be applied to the client. This executor enforces that only downscoping is allowed for token exchange. See <a href="https://www.keycloak.org/docs/latest/server_admin/#_downscoping">Downscoping</a> and <a href="https://www.keycloak.org/docs/latest/server_admin/#_client_policies">Client Policies</a> chapters in the Server Administration Guide for more information.
+</td>
+</tr>
+</table>
+</div>
 <div class="sect3">
 <h4 id="_examples"><a class="anchor" href="#_examples"></a>Examples</h4>
 <div class="paragraph">