Hello group, I have a service which is registered as an OIDC client with service accounts enabled. If the service obtained an access_token with client_credentials grant it contains the service account roles assigned to that client at the moment the token was issued. The service now uses the access_token to make calls to other services. As long as the access_token is valid the service reuses the access_token. If one now changes the service account role configuration of the client in Keycloak the new roles are NOT visible to the service until it obtains a new access_token with the new role assignment - which can take a while depending on the configured token lifetime. It would be helpful if Keycloak could notify clients (perhaps via Webhook?) about client configuration changes (roles, mappers, scopes, etc.) - services could then take suitable action e.g. obtain a new access_token. What do you think? Cheers, Thomas _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev