I adding keycloak into a legacy application that uses GWT and Jetty.
I have managed to get add Keycloak application using Spring-security.
Because this is GWT I am doing the authorisation in the application myself.
Sping just provides a way to get access to the KeycloakSecurityContext.

The issue I have is refreshing the token. I can get hold of a RefreshableKeycloakSecurityContext instance
and use that to get a refresh token. What surprised me is that I cannot refresh a token if the roles have changed.
Is this correct. I was hoping that the application could notice the role changes and adapt itself on the fly.

I do not want to have to logout to get the new roles it at all possible. Is there something that I have overlooked that will allow
me to use the idToken to get a new accessToken given that the authentication of the user is still valid, it is just the roles the user is in that have changed.