Authorization isn't broken, what's broken is that the JavaScript library wrongly believes the token is still valid so doesn't refresh it, but instead sends an expired token to the server. We'll get a fix in Keycloak for that problem hopefully in the next release.