I have managed to get add Keycloak application using Spring-security.

Because this is GWT I am doing the authorisation in the application myself.

Sping just provides a way to get access to the KeycloakSecurityContext.

The issue I have is refreshing the token. I can get hold of a RefreshableKeycloakSecurityContext instance

and use that to get a refresh token. What surprised me is that I cannot refresh a token if the roles have changed.

Is this correct. I was hoping that the application could notice the role changes and adapt itself on the fly.

I do not want to have to logout to get the new roles it at all possible. Is there something that I have overlooked that will allow

me to use the idToken to get a new accessToken given that the authentication of the user is still valid, it is just the roles the user is in that have changed.

Thanks

Chris