I am having a strange situation, which might be arising from a bug in Keycloak.

I have a direct grants only OAuth client which makes invocations against a bearer-only REST interface, running on Wildfly 8.0.0 Final with Keycloak 1.0 final.

A side effect of making one of the invocations is that the user is added to a realm role. So far so good.  The access token used to make that invocation though does not contain the new realm role so he cannot, yet, make invocations against another endpoint (call it endpoint B) without getting a 403 Forbidden. This is expected.

So, the client has to refresh the access token (realms/{realm}/tokens/refresh), in order to get a new access token with the realm role.  The refresh goes OK, but when he tries to make invocations against endpoint B, he still gets a 403 Forbidden.

What is maybe even stranger is that if instead of refreshing the access token, he just requests a brand new access token using the direct grant keycloak stuff (realms/{realm}/tokens/grants/access) then he gets an access token which allows him to access endpoint B successfully.

So, in short, refreshing the access token does not yield an access token with the new realm role, but asking for a brand new access token does yield an access token with the new realm role.

I can reproduce this in my automated tests 100% of the times that I have tried it, but I don't have a nice little test case for you...

Does that sound like a bug, or am I missing something about how this is supposed to work?

Thank you in advance for taking the time to read this long e-mail,

Alarik