If a user is logged in and her client role mappings are changed in the admin UI, why is an exception thrown "User no long has permission for client role OLD_ROLE" when the token expires and the refresh token is used to acquire a new one?

I was expecting the new token to contain the new set of roles, but instead got this error.