I noticed that when I request an access token (curl -v -H "Content-type: application/x-www-form-urlencoded" http://localhost:8080/auth/rest/realms/keycloak-admin/tokens/grants/access --data "client_id=...&client_secret=...&username=...&password=..." -H "Accept: application/json"), the response doesn't contain a refresh token. 

Is this intentional? And might it change in future versions?

According to http://tools.ietf.org/html/rfc6749#section-4.3 (which is the spec the above method implements, right?), the refresh token in the access token response is optional.

If I'm not mistaken, adding .generateRefreshToken() here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/TokenService.java#L201

should do the trick, right?

Cheers,

Nils