+1 We should just update the access token with new details and roles
Not sure if this is really an issue, but would there be a case where an application caches
the claims in the token? I don't think there is, but if we do update the token we
should make it 100% clear in the docs that this will happen.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Thursday, 20 August, 2015 3:25:36 AM
Subject: Re: [keycloak-user] Exception after changing roles
If you remove a role mapping that the old token has, the refresh token
becomes invalid. We should probably rethink that a little and only
throw an error if consent from the user is required.
On 8/19/2015 10:33 AM, Thomas Raehalme wrote:
> Hi,
>
> I have been doing some experiments with Keycloak and encountered a problem:
>
> If a user is logged in and her client role mappings are changed in the
> admin UI, why is an exception thrown "User no long has permission for
> client role OLD_ROLE" when the token expires and the refresh token is
> used to acquire a new one?
>
> I was expecting the new token to contain the new set of roles, but
> instead got this error.
>
> Thanks for your help!
>
> Best regards,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user