[keycloak-user] Password Expiration not applied to Token

Hi, We have set a password policy to have passwords expire after a number of days.  This works fine through the Keycloak login screen.  However, when we use the REST API to do a direct grant (we call '/protocol/openid-connect/token' on Keycloack 1.3.1) a valid token is returned even after the password has expired. This does not seem like the correct behavior.  Is there an issue here? Thanks,Chris