[keycloak-user] New mappers not reflected when using original refresh token

[Neil Chapman]

Hello

We are using Keycloak to store users, roles, and we have various role name mappers to transform the roles into a custom format within the access token. Once a user had been setup, we issue them a refresh token and they are able to create access tokens from the refresh token and all is good.

The issue we are having is that if we then create a new role and new role name mapper to map this new role into the access token, the new mapper functionality is not reflected in the original refresh token we issued to the client.

Whether we use the access token or new refresh token that is based on the initial refresh token we never see the new mapper functionality reflected in the access token. We see the new role in the default position in the access token, but it's not mapped to the right place based on our mapper.
We find ourselves having to create a brand new refresh token by running the following cURL command internally and then instructing the client to use the new refresh token:

curl --data "grant_type=password&client_secret=xxxxxxxxxxx&client_id=xxxx&username=xxx at xxx.com&password=xxxx&scope=offline_access" https://auth.xxxxxxxx.com/auth/realms/opta/protocol/openid-connect/token

After we do this and give the user the new refresh token the new mapper functionality is present in all future access tokens.

Is there a way for our users to continue to use the original refresh token and have new role mappers be reflected in the user's access tokens?

Our goal and understanding was that there is a way to issue a client a refresh token once and all changes to that user's profile (roles, attributes, mappers) would be reflected by using the original refresh token to create access tokens.

We'd like to issue a single refresh token to a user and then make changes to the users roles, mappers, etc. and not have the user adopt a new refresh token each time.

We are using version 3.2.1-final.

Thank you