I have been doing some experiments with Keycloak and encountered a problem:

If a user is logged in and her client role mappings are changed in the admin UI, why is an exception thrown "User no long has permission for client role OLD_ROLE" when the token expires and the refresh token is used to acquire a new one?