[keycloak-user] Refreshing Tokens

I adding keycloak into a legacy application that uses GWT and Jetty. I have managed to get add Keycloak application using Spring-security. Because this is GWT I am doing the authorisation in the application myself. Sping just provides a way to get access to the KeycloakSecurityContext. The issue I have is refreshing the token. I can get hold of a RefreshableKeycloakSecurityContext instance and use that to get a refresh token. What surprised me is that I cannot refresh a token if the roles have changed. Is this correct. I was hoping that the application could notice the role changes and adapt itself on the fly. I do not want to have to logout to get the new roles it at all possible. Is there something that I have overlooked that will allow me to use the idToken to get a new accessToken given that the authentication of the user is still valid, it is just the roles the user is in that have changed. Thanks Chris