diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
index 7cf3622..9165072 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@@ -283,6 +283,10 @@ public class TokenManager {
.accessToken(validation.newToken)
.generateRefreshToken();
+ if (validation.newToken.getAuthorization() != null) {
+ responseBuilder.getRefreshToken().setAuthorization(validation.newToken.getAuthorization());
+ }
+
// KEYCLOAK-6771 Certificate Bound Token
// https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-3.1
// bind refreshed access and refresh token with Client Certificate
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java
index a6be35e..c89d98e 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaGrantTypeTest.java
@@ -354,7 +354,7 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {
}
@Test
- public void testRefreshRpt() throws Exception {
+ public void testRefreshRpt() {
AccessTokenResponse accessTokenResponse = getAuthzClient().obtainAccessToken("marta", "password");
AuthorizationResponse response = authorize(null, null, null, null, accessTokenResponse.getToken(), null, null, new PermissionRequest("Resource A", "ScopeA", "ScopeB"));
String rpt = response.getToken();
@@ -376,6 +376,10 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {
assertNotNull(refreshToken);
+ AccessToken refreshTokenToken = toAccessToken(refreshToken);
+
+ assertNotNull(refreshTokenToken.getAuthorization());
+
Client client = ClientBuilder.newClient();
UriBuilder builder = UriBuilder.fromUri(AUTH_SERVER_ROOT);
URI uri = OIDCLoginProtocolService.tokenUrl(builder).build(REALM_NAME);
@@ -391,6 +395,10 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {
.post(Entity.form(parameters)).readEntity(AccessTokenResponse.class);
assertNotNull(refreshTokenResponse.getToken());
+ refreshToken = refreshTokenResponse.getRefreshToken();
+ refreshTokenToken = toAccessToken(refreshToken);
+
+ assertNotNull(refreshTokenToken.getAuthorization());
AccessToken refreshedToken = toAccessToken(rpt);
authorization = refreshedToken.getAuthorization();
@@ -402,6 +410,27 @@ public class UmaGrantTypeTest extends AbstractResourceServerTest {
assertNotNull(permissions);
assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
assertTrue(permissions.isEmpty());
+
+ refreshTokenResponse = target.request()
+ .header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("resource-server-test", "secret"))
+ .post(Entity.form(parameters)).readEntity(AccessTokenResponse.class);
+
+ assertNotNull(refreshTokenResponse.getToken());
+ refreshToken = refreshTokenResponse.getRefreshToken();
+ refreshTokenToken = toAccessToken(refreshToken);
+
+ assertNotNull(refreshTokenToken.getAuthorization());
+
+ refreshedToken = toAccessToken(rpt);
+ authorization = refreshedToken.getAuthorization();
+
+ assertNotNull(authorization);
+
+ permissions = authorization.getPermissions();
+
+ assertNotNull(permissions);
+ assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB");
+ assertTrue(permissions.isEmpty());
}
@Test
