Error refreshing a token because of modified roles

Solution Unverified - Updated -

Issue

  • The adapter log shows a lot of errors with this message:

    ERROR [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (http-0.0.0.0:8082-3) Refresh token failure status: 400 {"error":"invalid_scope","error_description":"User no long has permission for realm role: XXXXX"}
    
  • On the server log just a refresh token error is shown:

    WARN  [org.keycloak.events] (default task-2) type=REFRESH_TOKEN_ERROR, realmId=demo, clientId=sample-client, userId=15c5bc50-c248-4be7-8590-8a2931a1ffbc, ipAddress=x.x.x.x, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=202589ac-aa1f-4b28-94f9-72ff6e11c3e1, client_auth_method=client-secret
    

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In