Hi,

We have set a password policy to have passwords expire after a number of days.  This works fine through the Keycloak login screen.  However, when we use the REST API to do a direct grant (we call '/protocol/openid-connect/token' on Keycloack 1.3.1) a valid token is returned even after the password has expired.

This does not seem like the correct behavior.  Is there an issue here?

Thanks,

Chris