[Feature] Suppport OAuth 2.0 Refresh Token Grant Type

[perlmaxm]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

After removing client role restricted-access from user, you can continue get new pair of access and refresh tokens with refresh token

Expected Behavior

After removing client role restricted-access from user, you get "access-denied" error with refresh token

Steps To Reproduce

1. make flow with extension (browser or direct access grant)
2. give user role from client
3. user authenticated (you get pair access, refresh tokens with browser flow or direct grant flow)
4. remove role from user
5. you can continue get pair of tokens with refresh_token

Version

- Keycloak: 25.0.6
- This extension: 25.0.0

Anything else?

No response

[sventorben]

Thanks for reporting this and for your detailed description, @perlmaxm.

After reviewing the behavior, I don’t believe this is a bug in this extension. The extension provides an authenticator that functions during the login flow, and within that scope, it works as intended.

What’s happening here is related to how Keycloak handles the Refresh Token grant: it does not invoke any authentication flow or authenticator. This is not specific to the extension - even in a default Keycloak setup, if you configure a conditional sub-flow in the authentication flow (e.g. using a "User Role" condition and a "Deny Access" authenticator), that logic is only evaluated during the initial login. It is not re-evaluated when a refresh token is used. The same limitation applies when using this extension, since it integrates into the login flow via an authenticator.

Additionally, it's worth noting that the restricted-access role no longer appears as a claim in the refreshed access token. That is actually aligned with the intent: the application should always enforce access based on token claims. As noted in the README under "Policy enforcement":

Make sure your clients enforce decisions correctly ...

This extension is designed to support authorization decisions during the login flow, as explicitly stated in the README:

What this extension supports you with is authorization decision-making and communicating the outcome to the user during login flow.

Since a refresh_token grant does not involve a login flow, this limitation is expected.

That said, I understand the desire to enforce similar restrictions during token refresh. This could be an interesting feature request, possibly achievable through Keycloak's client policies system. It's not something the extension can currently support, but it's definitely worth discussing further.

I’ll leave this issue open and reclassify it as a potential enhancement.

[perlmaxm]

@sventorben Thank you very much for the detailed response! I suspected that the extension is not involved in the refresh_token grant, since it was originally intended for something else. But I decided to ask, just in case this logic was considered.
I’ll be looking forward to the new feature—thank you!