I am having a strange situation, which might be arising from a bug in
Keycloak.
I have a direct grants only OAuth client which makes invocations against a
bearer-only REST interface, running on Wildfly 8.0.0 Final with Keycloak
1.0 final.
A side effect of making one of the invocations is that the user is added to
a realm role. So far so good. The access token used to make that
invocation though does not contain the new realm role so he cannot, yet,
make invocations against another endpoint (call it endpoint B) without
getting a 403 Forbidden. This is expected.
So, the client has to refresh the access token
(realms/{realm}/tokens/refresh), in order to get a new access token with
the realm role. The refresh goes OK, but when he tries to make invocations
against endpoint B, he still gets a 403 Forbidden.
What is maybe even stranger is that if instead of refreshing the access
token, he just requests a brand new access token using the direct grant
keycloak stuff (realms/{realm}/tokens/grants/access) then he gets an access
token which allows him to access endpoint B successfully.
So, in short, refreshing the access token does not yield an access token
with the new realm role, but asking for a brand new access token does yield
an access token with the new realm role.
I can reproduce this in my automated tests 100% of the times that I have
tried it, but I don't have a nice little test case for you...
Does that sound like a bug, or am I missing something about how this is
supposed to work?
Thank you in advance for taking the time to read this long e-mail,
Alarik