[keycloak-user] Spring checks Bearer token for permitted requests

I have an instance of KeycloakWebSecurityConfigurerAdapter that contains the following configuration: protected void configure(HttpSecurity httpSecurity) throws Exception { super.configure(httpSecurity); httpSecurity .antMatcher("/mobile/**") .authorizeRequests() .antMatchers("/mobile/api/login", "/mobile/api/refresh").permitAll() .antMatchers("/mobile/api/**").authenticated() .......... The Client is setup for bearer-only. It works fine, except when the access token expires. Some mobile clients send the expired token as a header in the call to "/mobile/api/refresh". The problem is that even though "/mobile/api/refresh" is marked as permitAll, the request is blocked. Its not possible to fix all the mobile clients. How could I configure Spring to ignore the bearer token for the "permitAll" calls, or remove the header?