diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-tokens.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-tokens.html
index 382be7c91f..74b9b362ae 100755
--- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-tokens.html
+++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/realm-tokens.html
@@ -11,13 +11,13 @@
         <form class="form-horizontal" name="realmForm" novalidate>
             <fieldset class="border-top">
                 <div class="form-group input-select">
-                    <label class="col-sm-2 control-label" for="tokenLifespan">Token lifespan</label>
+                    <label class="col-sm-2 control-label" for="accessTokenLifespan">Access Token lifespan</label>
                     <div class="col-sm-10">
                         <div class="row">
                             <div class="col-sm-2">
                                 <input class="form-control" type="number" required min="1"
-                                       max="31536000" data-ng-model="realm.tokenLifespan"
-                                       id="tokenLifespan" name="tokenLifespan"/>
+                                       max="31536000" data-ng-model="realm.accessTokenLifespan"
+                                       id="accessTokenLifespan" name="accessTokenLifespan"/>
                             </div>
                             <div class="col-sm-2 select-kc">
                                 <select name="tokenLifespanUnit" data-ng-model="realm.tokenLifespanUnit" >
diff --git a/core/src/main/java/org/keycloak/representations/AccessToken.java b/core/src/main/java/org/keycloak/representations/AccessToken.java
index fd93257b99..8341c573fd 100755
--- a/core/src/main/java/org/keycloak/representations/AccessToken.java
+++ b/core/src/main/java/org/keycloak/representations/AccessToken.java
@@ -19,6 +19,19 @@ public class AccessToken extends JsonWebToken {
         @JsonProperty("verify_caller")
         protected Boolean verifyCaller;
 
+        public Access() {
+        }
+
+        public Access clone() {
+            Access access = new Access();
+            access.verifyCaller = verifyCaller;
+            if (roles != null) {
+                access.roles = new HashSet<String>();
+                access.roles.addAll(roles);
+            }
+            return access;
+        }
+
         public Set<String> getRoles() {
             return roles;
         }
diff --git a/core/src/main/java/org/keycloak/representations/RefreshToken.java b/core/src/main/java/org/keycloak/representations/RefreshToken.java
new file mode 100755
index 0000000000..7d90931e3a
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/RefreshToken.java
@@ -0,0 +1,36 @@
+package org.keycloak.representations;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class RefreshToken extends AccessToken {
+    public RefreshToken() {
+        type("REFRESH");
+    }
+
+    /**
+     * Deep copies issuer, subject, issuedFor, realmAccess, and resourceAccess
+     * from AccessToken.
+     *
+     * @param token
+     */
+    public RefreshToken(AccessToken token) {
+        this();
+        this.issuer = token.issuer;
+        this.subject = token.subject;
+        this.issuedFor = token.issuedFor;
+        if (token.realmAccess != null) {
+            realmAccess = token.realmAccess.clone();
+        }
+        if (token.resourceAccess != null) {
+            resourceAccess = new HashMap<String, Access>();
+            for (Map.Entry<String, Access> entry : token.resourceAccess.entrySet()) {
+                resourceAccess.put(entry.getKey(), entry.getValue().clone());
+            }
+        }
+    }
+}
diff --git a/core/src/main/java/org/keycloak/representations/idm/PublishedRealmRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/PublishedRealmRepresentation.java
index 904b6924c0..4f1f2ea688 100755
--- a/core/src/main/java/org/keycloak/representations/idm/PublishedRealmRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/PublishedRealmRepresentation.java
@@ -29,9 +29,6 @@ public class PublishedRealmRepresentation {
     @JsonProperty("grants")
     protected String grantUrl;
 
-    @JsonProperty("identity-grants")
-    protected String identityGrantUrl;
-
     @JsonProperty("admin-role")
     protected String adminRole;
 
@@ -124,12 +121,4 @@ public class PublishedRealmRepresentation {
     public void setGrantUrl(String grantUrl) {
         this.grantUrl = grantUrl;
     }
-
-    public String getIdentityGrantUrl() {
-        return identityGrantUrl;
-    }
-
-    public void setIdentityGrantUrl(String identityGrantUrl) {
-        this.identityGrantUrl = identityGrantUrl;
-    }
 }
diff --git a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java
index e11dc57ee4..e4d70bb7ae 100755
--- a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java
@@ -13,7 +13,7 @@ public class RealmRepresentation {
     protected String self; // link
     protected String id;
     protected String realm;
-    protected Integer tokenLifespan;
+    protected Integer accessTokenLifespan;
     protected Integer accessCodeLifespan;
     protected Integer accessCodeLifespanUserAction;
     protected Boolean enabled;
@@ -114,12 +114,12 @@ public class RealmRepresentation {
         this.sslNotRequired = sslNotRequired;
     }
 
-    public Integer getTokenLifespan() {
-        return tokenLifespan;
+    public Integer getAccessTokenLifespan() {
+        return accessTokenLifespan;
     }
 
-    public void setTokenLifespan(Integer tokenLifespan) {
-        this.tokenLifespan = tokenLifespan;
+    public void setAccessTokenLifespan(Integer accessTokenLifespan) {
+        this.accessTokenLifespan = accessTokenLifespan;
     }
 
     public List<UserRoleMappingRepresentation> getRoleMappings() {
diff --git a/examples/demo-template/testrealm.json b/examples/demo-template/testrealm.json
index 1183de8243..9f0fb13eaa 100755
--- a/examples/demo-template/testrealm.json
+++ b/examples/demo-template/testrealm.json
@@ -1,7 +1,7 @@
 {
     "realm": "demo",
     "enabled": true,
-    "tokenLifespan": 3000,
+    "accessTokenLifespan": 3000,
     "accessCodeLifespan": 10,
     "accessCodeLifespanUserAction": 6000,
     "sslNotRequired": true,
diff --git a/model/api/src/main/java/org/keycloak/models/RealmModel.java b/model/api/src/main/java/org/keycloak/models/RealmModel.java
index 6f22121333..a0aad3785a 100755
--- a/model/api/src/main/java/org/keycloak/models/RealmModel.java
+++ b/model/api/src/main/java/org/keycloak/models/RealmModel.java
@@ -38,9 +38,13 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
 
     void setResetPasswordAllowed(boolean resetPasswordAllowed);
 
-    int getTokenLifespan();
+    int getAccessTokenLifespan();
 
-    void setTokenLifespan(int tokenLifespan);
+    void setAccessTokenLifespan(int tokenLifespan);
+
+    int getRefreshTokenLifespan();
+
+    void setRefreshTokenLifespan(int tokenLifespan);
 
     int getAccessCodeLifespan();
 
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
index a4a6cb7a0f..608788e566 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
@@ -128,13 +128,24 @@ public class RealmAdapter implements RealmModel {
     }
 
     @Override
-    public int getTokenLifespan() {
-        return realm.getTokenLifespan();
+    public int getAccessTokenLifespan() {
+        return realm.getAccessTokenLifespan();
     }
 
     @Override
-    public void setTokenLifespan(int tokenLifespan) {
-        realm.setTokenLifespan(tokenLifespan);
+    public void setAccessTokenLifespan(int tokenLifespan) {
+        realm.setAccessTokenLifespan(tokenLifespan);
+        em.flush();
+    }
+
+    @Override
+    public int getRefreshTokenLifespan() {
+        return realm.getRefreshTokenLifespan();
+    }
+
+    @Override
+    public void setRefreshTokenLifespan(int tokenLifespan) {
+        realm.setRefreshTokenLifespan(tokenLifespan);
         em.flush();
     }
 
diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
index e6967e37b0..d744bffe2f 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
@@ -43,9 +43,10 @@ public class RealmEntity {
     protected boolean updateProfileOnInitialSocialLogin;
     protected String passwordPolicy;
 
-    protected int tokenLifespan;
+    protected int accessTokenLifespan;
     protected int accessCodeLifespan;
     protected int accessCodeLifespanUserAction;
+    protected int refreshTokenLifespan;
 
     @Column(length = 2048)
     protected String publicKeyPem;
@@ -161,12 +162,20 @@ public class RealmEntity {
         this.updateProfileOnInitialSocialLogin = updateProfileOnInitialSocialLogin;
     }
 
-    public int getTokenLifespan() {
-        return tokenLifespan;
+    public int getRefreshTokenLifespan() {
+        return refreshTokenLifespan;
     }
 
-    public void setTokenLifespan(int tokenLifespan) {
-        this.tokenLifespan = tokenLifespan;
+    public void setRefreshTokenLifespan(int refreshTokenLifespan) {
+        this.refreshTokenLifespan = refreshTokenLifespan;
+    }
+
+    public int getAccessTokenLifespan() {
+        return accessTokenLifespan;
+    }
+
+    public void setAccessTokenLifespan(int accessTokenLifespan) {
+        this.accessTokenLifespan = accessTokenLifespan;
     }
 
     public int getAccessCodeLifespan() {
diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
index 91aa0bfbe5..06991cc70d 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
@@ -167,13 +167,24 @@ public class RealmAdapter extends AbstractAdapter implements RealmModel {
     }
 
     @Override
-    public int getTokenLifespan() {
-        return realm.getTokenLifespan();
+    public int getAccessTokenLifespan() {
+        return realm.getAccessTokenLifespan();
     }
 
     @Override
-    public void setTokenLifespan(int tokenLifespan) {
-        realm.setTokenLifespan(tokenLifespan);
+    public void setAccessTokenLifespan(int tokenLifespan) {
+        realm.setAccessTokenLifespan(tokenLifespan);
+        updateRealm();
+    }
+
+    @Override
+    public int getRefreshTokenLifespan() {
+        return realm.getRefreshTokenLifespan();
+    }
+
+    @Override
+    public void setRefreshTokenLifespan(int tokenLifespan) {
+        realm.setRefreshTokenLifespan(tokenLifespan);
         updateRealm();
     }
 
diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java
index 6ee2fdf652..57fe31eecb 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/RealmEntity.java
@@ -29,9 +29,10 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
     private boolean updateProfileOnInitialSocialLogin;
     private String passwordPolicy;
 
-    private int tokenLifespan;
+    private int accessTokenLifespan;
     private int accessCodeLifespan;
     private int accessCodeLifespanUserAction;
+    private int refreshTokenLifespan;
 
     private String publicKeyPem;
     private String privateKeyPem;
@@ -131,12 +132,21 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
     }
 
     @MongoField
-    public int getTokenLifespan() {
-        return tokenLifespan;
+    public int getAccessTokenLifespan() {
+        return accessTokenLifespan;
     }
 
-    public void setTokenLifespan(int tokenLifespan) {
-        this.tokenLifespan = tokenLifespan;
+    public void setAccessTokenLifespan(int accessTokenLifespan) {
+        this.accessTokenLifespan = accessTokenLifespan;
+    }
+
+    @MongoField
+    public int getRefreshTokenLifespan() {
+        return refreshTokenLifespan;
+    }
+
+    public void setRefreshTokenLifespan(int refreshTokenLifespan) {
+        this.refreshTokenLifespan = refreshTokenLifespan;
     }
 
     @MongoField
diff --git a/model/tests/src/test/java/org/keycloak/model/test/AdapterTest.java b/model/tests/src/test/java/org/keycloak/model/test/AdapterTest.java
index cd18852239..ea6fa66cbd 100755
--- a/model/tests/src/test/java/org/keycloak/model/test/AdapterTest.java
+++ b/model/tests/src/test/java/org/keycloak/model/test/AdapterTest.java
@@ -47,7 +47,7 @@ public class AdapterTest extends AbstractModelTest {
         realmModel.setName("JUGGLER");
         realmModel.setPrivateKeyPem("0234234");
         realmModel.setPublicKeyPem("0234234");
-        realmModel.setTokenLifespan(1000);
+        realmModel.setAccessTokenLifespan(1000);
         realmModel.setUpdateProfileOnInitialSocialLogin(true);
         realmModel.addDefaultRole("foo");
 
@@ -56,7 +56,7 @@ public class AdapterTest extends AbstractModelTest {
         Assert.assertNotNull(realmModel);
         Assert.assertEquals(realmModel.getAccessCodeLifespan(), 100);
         Assert.assertEquals(600, realmModel.getAccessCodeLifespanUserAction());
-        Assert.assertEquals(realmModel.getTokenLifespan(), 1000);
+        Assert.assertEquals(realmModel.getAccessTokenLifespan(), 1000);
         Assert.assertEquals(realmModel.isEnabled(), true);
         Assert.assertEquals(realmModel.getName(), "JUGGLER");
         Assert.assertEquals(realmModel.getPrivateKeyPem(), "0234234");
@@ -75,7 +75,7 @@ public class AdapterTest extends AbstractModelTest {
         realmModel.setName("JUGGLER");
         realmModel.setPrivateKeyPem("0234234");
         realmModel.setPublicKeyPem("0234234");
-        realmModel.setTokenLifespan(1000);
+        realmModel.setAccessTokenLifespan(1000);
         realmModel.setUpdateProfileOnInitialSocialLogin(true);
         realmModel.addDefaultRole("foo");
 
@@ -84,7 +84,7 @@ public class AdapterTest extends AbstractModelTest {
         Assert.assertNotNull(realmModel);
         Assert.assertEquals(realmModel.getAccessCodeLifespan(), 100);
         Assert.assertEquals(600, realmModel.getAccessCodeLifespanUserAction());
-        Assert.assertEquals(realmModel.getTokenLifespan(), 1000);
+        Assert.assertEquals(realmModel.getAccessTokenLifespan(), 1000);
         Assert.assertEquals(realmModel.isEnabled(), true);
         Assert.assertEquals(realmModel.getName(), "JUGGLER");
         Assert.assertEquals(realmModel.getPrivateKeyPem(), "0234234");
diff --git a/model/tests/src/test/java/org/keycloak/model/test/AuthenticationManagerTest.java b/model/tests/src/test/java/org/keycloak/model/test/AuthenticationManagerTest.java
index 324802b4d1..c4d316c993 100755
--- a/model/tests/src/test/java/org/keycloak/model/test/AuthenticationManagerTest.java
+++ b/model/tests/src/test/java/org/keycloak/model/test/AuthenticationManagerTest.java
@@ -127,7 +127,7 @@ public class AuthenticationManagerTest extends AbstractModelTest {
         realm.setName("Test");
         realm.setPrivateKeyPem("0234234");
         realm.setPublicKeyPem("0234234");
-        realm.setTokenLifespan(1000);
+        realm.setAccessTokenLifespan(1000);
         realm.addRequiredCredential(CredentialRepresentation.PASSWORD);
 
         am = new AuthenticationManager();
diff --git a/model/tests/src/test/java/org/keycloak/model/test/ModelTest.java b/model/tests/src/test/java/org/keycloak/model/test/ModelTest.java
index bdc7d3b299..33e8490477 100755
--- a/model/tests/src/test/java/org/keycloak/model/test/ModelTest.java
+++ b/model/tests/src/test/java/org/keycloak/model/test/ModelTest.java
@@ -22,7 +22,7 @@ public class ModelTest extends AbstractModelTest {
         realm.setSocial(true);
         realm.setSslNotRequired(true);
         realm.setVerifyEmail(true);
-        realm.setTokenLifespan(1000);
+        realm.setAccessTokenLifespan(1000);
         realm.setPasswordPolicy(new PasswordPolicy("length"));
         realm.setAccessCodeLifespan(1001);
         realm.setAccessCodeLifespanUserAction(1002);
@@ -55,7 +55,7 @@ public class ModelTest extends AbstractModelTest {
         Assert.assertEquals(expected.isSocial(), actual.isSocial());
         Assert.assertEquals(expected.isSslNotRequired(), actual.isSslNotRequired());
         Assert.assertEquals(expected.isVerifyEmail(), actual.isVerifyEmail());
-        Assert.assertEquals(expected.getTokenLifespan(), actual.getTokenLifespan());
+        Assert.assertEquals(expected.getAccessTokenLifespan(), actual.getAccessTokenLifespan());
 
         Assert.assertEquals(expected.getAccessCodeLifespan(), actual.getAccessCodeLifespan());
         Assert.assertEquals(expected.getAccessCodeLifespanUserAction(), actual.getAccessCodeLifespanUserAction());
diff --git a/model/tests/src/test/resources/testcomposites.json b/model/tests/src/test/resources/testcomposites.json
index 2ac02cec1b..6c11b4eac7 100755
--- a/model/tests/src/test/resources/testcomposites.json
+++ b/model/tests/src/test/resources/testcomposites.json
@@ -2,7 +2,7 @@
     "id": "Test",
     "realm": "Test",
     "enabled": true,
-    "tokenLifespan": 600,
+    "accessTokenLifespan": 600,
     "accessCodeLifespan": 600,
     "accessCodeLifespanUserAction": 600,
     "sslNotRequired": true,
diff --git a/model/tests/src/test/resources/testrealm-demo.json b/model/tests/src/test/resources/testrealm-demo.json
index 7cf10724ef..136a14424f 100755
--- a/model/tests/src/test/resources/testrealm-demo.json
+++ b/model/tests/src/test/resources/testrealm-demo.json
@@ -1,7 +1,7 @@
 {
     "realm": "demo",
     "enabled": true,
-    "tokenLifespan": 300,
+    "accessTokenLifespan": 300,
     "accessCodeLifespan": 10,
     "accessCodeLifespanUserAction": 600,
     "sslNotRequired": true,
diff --git a/model/tests/src/test/resources/testrealm.json b/model/tests/src/test/resources/testrealm.json
index a78c234bb1..e1148da464 100755
--- a/model/tests/src/test/resources/testrealm.json
+++ b/model/tests/src/test/resources/testrealm.json
@@ -1,7 +1,7 @@
 {
     "realm": "test-realm",
     "enabled": true,
-    "tokenLifespan": 6000,
+    "accessTokenLifespan": 6000,
     "accessCodeLifespan": 30,
     "accessCodeLifespanUserAction": 600,
     "requiredCredentials": [ "password" ],
diff --git a/services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java b/services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java
index f4ea7df8f6..93a8e47a00 100755
--- a/services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java
+++ b/services/src/main/java/org/keycloak/services/managers/ApplianceBootstrap.java
@@ -11,8 +11,6 @@ import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.representations.idm.CredentialRepresentation;
 
-import java.util.UUID;
-
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $
@@ -48,7 +46,7 @@ public class ApplianceBootstrap {
         realm.addRequiredCredential(CredentialRepresentation.PASSWORD);
         realm.addRequiredOAuthClientCredential(CredentialRepresentation.PASSWORD);
         realm.addRequiredResourceCredential(CredentialRepresentation.PASSWORD);
-        realm.setTokenLifespan(300);
+        realm.setAccessTokenLifespan(300);
         realm.setAccessCodeLifespan(60);
         realm.setAccessCodeLifespanUserAction(300);
         realm.setSslNotRequired(true);
diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
index 7d48d3e8b4..14adb6b0a4 100755
--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -46,8 +46,8 @@ public class AuthenticationManager {
         token.issuedNow();
         token.subject(user.getId());
         token.audience(realm.getName());
-        if (realm.getTokenLifespan() > 0) {
-            token.expiration((System.currentTimeMillis() / 1000) + realm.getTokenLifespan());
+        if (realm.getAccessTokenLifespan() > 0) {
+            token.expiration((System.currentTimeMillis() / 1000) + realm.getAccessTokenLifespan());
         }
         return token;
     }
diff --git a/services/src/main/java/org/keycloak/services/managers/ModelToRepresentation.java b/services/src/main/java/org/keycloak/services/managers/ModelToRepresentation.java
index d2bacbafa1..c9e921b25e 100755
--- a/services/src/main/java/org/keycloak/services/managers/ModelToRepresentation.java
+++ b/services/src/main/java/org/keycloak/services/managers/ModelToRepresentation.java
@@ -71,7 +71,7 @@ public class ModelToRepresentation {
         rep.setRegistrationAllowed(realm.isRegistrationAllowed());
         rep.setVerifyEmail(realm.isVerifyEmail());
         rep.setResetPasswordAllowed(realm.isResetPasswordAllowed());
-        rep.setTokenLifespan(realm.getTokenLifespan());
+        rep.setAccessTokenLifespan(realm.getAccessTokenLifespan());
         rep.setAccessCodeLifespan(realm.getAccessCodeLifespan());
         rep.setAccessCodeLifespanUserAction(realm.getAccessCodeLifespanUserAction());
         rep.setSmtpServer(realm.getSmtpConfig());
diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
index 5cc26ce9ff..4148ca02a1 100755
--- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
@@ -7,7 +7,6 @@ import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.OAuthClientModel;
 import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.RealmModel;
-import org.keycloak.models.RequiredCredentialModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.SocialLinkModel;
 import org.keycloak.models.UserCredentialModel;
@@ -28,14 +27,10 @@ import org.keycloak.representations.idm.UserRoleMappingRepresentation;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
-import java.util.UUID;
-import java.util.concurrent.atomic.AtomicLong;
 
 /**
  * Per request object
@@ -110,7 +105,7 @@ public class RealmManager {
         if (rep.getAccessCodeLifespan() != null) realm.setAccessCodeLifespan(rep.getAccessCodeLifespan());
         if (rep.getAccessCodeLifespanUserAction() != null)
             realm.setAccessCodeLifespanUserAction(rep.getAccessCodeLifespanUserAction());
-        if (rep.getTokenLifespan() != null) realm.setTokenLifespan(rep.getTokenLifespan());
+        if (rep.getAccessTokenLifespan() != null) realm.setAccessTokenLifespan(rep.getAccessTokenLifespan());
         if (rep.getRequiredCredentials() != null) {
             realm.updateRequiredCredentials(rep.getRequiredCredentials());
         }
@@ -163,8 +158,8 @@ public class RealmManager {
         if (rep.isEnabled() != null) newRealm.setEnabled(rep.isEnabled());
         if (rep.isSocial() != null) newRealm.setSocial(rep.isSocial());
 
-        if (rep.getTokenLifespan() != null) newRealm.setTokenLifespan(rep.getTokenLifespan());
-        else newRealm.setTokenLifespan(300);
+        if (rep.getAccessTokenLifespan() != null) newRealm.setAccessTokenLifespan(rep.getAccessTokenLifespan());
+        else newRealm.setAccessTokenLifespan(300);
 
         if (rep.getAccessCodeLifespan() != null) newRealm.setAccessCodeLifespan(rep.getAccessCodeLifespan());
         else newRealm.setAccessCodeLifespan(60);
diff --git a/services/src/main/java/org/keycloak/services/managers/TokenManager.java b/services/src/main/java/org/keycloak/services/managers/TokenManager.java
index f6555a015d..74b5bd406c 100755
--- a/services/src/main/java/org/keycloak/services/managers/TokenManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/TokenManager.java
@@ -12,10 +12,12 @@ import org.keycloak.representations.AccessToken;
 import org.keycloak.util.Base64Url;
 import org.keycloak.util.JsonSerialization;
 
+import javax.ws.rs.core.MultivaluedHashMap;
 import javax.ws.rs.core.MultivaluedMap;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.util.HashSet;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -78,12 +80,44 @@ public class TokenManager {
 
 
     public AccessCodeEntry createAccessCode(String scopeParam, String state, String redirect, RealmModel realm, UserModel client, UserModel user) {
+        AccessCodeEntry code = createAccessCodeEntry(scopeParam, state, redirect, realm, client, user);
+        accessCodeMap.put(code.getId(), code);
+        return code;
+    }
+
+    private AccessCodeEntry createAccessCodeEntry(String scopeParam, String state, String redirect, RealmModel realm, UserModel client, UserModel user) {
         AccessCodeEntry code = new AccessCodeEntry();
-        AccessScope scopeMap = null;
-        if (scopeParam != null) scopeMap = decodeScope(scopeParam);
         List<RoleModel> realmRolesRequested = code.getRealmRolesRequested();
         MultivaluedMap<String, RoleModel> resourceRolesRequested = code.getResourceRolesRequested();
 
+        AccessToken token = createClientAccessToken(scopeParam, realm, client, user, realmRolesRequested, resourceRolesRequested);
+
+        code.setToken(token);
+        code.setRealm(realm);
+        code.setExpiration((System.currentTimeMillis() / 1000) + realm.getAccessCodeLifespan());
+        code.setClient(client);
+        code.setUser(user);
+        code.setState(state);
+        code.setRedirectUri(redirect);
+        String accessCode = null;
+        try {
+            accessCode = new JWSBuilder().content(code.getId().getBytes("UTF-8")).rsa256(realm.getPrivateKey());
+        } catch (UnsupportedEncodingException e) {
+            throw new RuntimeException(e);
+        }
+        code.setCode(accessCode);
+        return code;
+    }
+
+    public AccessToken createClientAccessToken(String scopeParam, RealmModel realm, UserModel client, UserModel user) {
+        return createClientAccessToken(scopeParam, realm, client, user, new LinkedList<RoleModel>(), new MultivaluedHashMap<String, RoleModel>());
+    }
+
+
+    public AccessToken createClientAccessToken(String scopeParam, RealmModel realm, UserModel client, UserModel user, List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested) {
+        AccessScope scopeMap = null;
+        if (scopeParam != null) scopeMap = decodeScope(scopeParam);
+
 
         Set<RoleModel> roleMappings = realm.getRoleMappings(user);
         Set<RoleModel> scopeMappings = realm.getScopeMappings(client);
@@ -113,22 +147,22 @@ public class TokenManager {
             }
         }
 
-        createToken(code, realm, client, user);
-        code.setRealm(realm);
-        code.setExpiration((System.currentTimeMillis() / 1000) + realm.getAccessCodeLifespan());
-        code.setClient(client);
-        code.setUser(user);
-        code.setState(state);
-        code.setRedirectUri(redirect);
-        accessCodeMap.put(code.getId(), code);
-        String accessCode = null;
-        try {
-            accessCode = new JWSBuilder().content(code.getId().getBytes("UTF-8")).rsa256(realm.getPrivateKey());
-        } catch (UnsupportedEncodingException e) {
-            throw new RuntimeException(e);
+        AccessToken token = initToken(realm, client, user);
+
+        if (realmRolesRequested.size() > 0) {
+            for (RoleModel role : realmRolesRequested) {
+                addComposites(token, role);
+            }
         }
-        code.setCode(accessCode);
-        return code;
+
+        if (resourceRolesRequested.size() > 0) {
+            for (List<RoleModel> roles : resourceRolesRequested.values()) {
+                for (RoleModel role : roles) {
+                    addComposites(token, role);
+                }
+            }
+        }
+        return token;
     }
 
     protected AccessToken initToken(RealmModel realm, UserModel client, UserModel user) {
@@ -138,8 +172,8 @@ public class TokenManager {
         token.audience(realm.getName());
         token.issuedNow();
         token.issuedFor(client.getLoginName());
-        if (realm.getTokenLifespan() > 0) {
-            token.expiration((System.currentTimeMillis() / 1000) + realm.getTokenLifespan());
+        if (realm.getAccessTokenLifespan() > 0) {
+            token.expiration((System.currentTimeMillis() / 1000) + realm.getAccessTokenLifespan());
         }
         Set<String> allowedOrigins = client.getWebOrigins();
         if (allowedOrigins != null) {
@@ -176,26 +210,6 @@ public class TokenManager {
 
     }
 
-    protected void createToken(AccessCodeEntry accessCodeEntry, RealmModel realm, UserModel client, UserModel user) {
-
-        AccessToken token = initToken(realm, client, user);
-
-        if (accessCodeEntry.getRealmRolesRequested().size() > 0) {
-            for (RoleModel role : accessCodeEntry.getRealmRolesRequested()) {
-                addComposites(token, role);
-            }
-        }
-
-        if (accessCodeEntry.getResourceRolesRequested().size() > 0) {
-            for (List<RoleModel> roles : accessCodeEntry.getResourceRolesRequested().values()) {
-                for (RoleModel role : roles) {
-                    addComposites(token, role);
-                }
-            }
-        }
-        accessCodeEntry.setToken(token);
-    }
-
     public String encodeScope(AccessScope scope) {
         String token = null;
         try {
@@ -224,8 +238,8 @@ public class TokenManager {
         token.issuedNow();
         token.subject(user.getId());
         token.audience(realm.getName());
-        if (realm.getTokenLifespan() > 0) {
-            token.expiration((System.currentTimeMillis() / 1000) + realm.getTokenLifespan());
+        if (realm.getAccessTokenLifespan() > 0) {
+            token.expiration((System.currentTimeMillis() / 1000) + realm.getAccessTokenLifespan());
         }
         for (RoleModel role : realm.getRoleMappings(user)) {
             addComposites(token, role);
diff --git a/services/src/main/java/org/keycloak/services/resources/PublicRealmResource.java b/services/src/main/java/org/keycloak/services/resources/PublicRealmResource.java
index 1b699aae9c..944f1a99bf 100755
--- a/services/src/main/java/org/keycloak/services/resources/PublicRealmResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/PublicRealmResource.java
@@ -53,13 +53,11 @@ public class PublicRealmResource {
         String authUri = TokenService.loginPageUrl(uriInfo).build(realm.getName()).toString();
         String codeUri = TokenService.accessCodeToTokenUrl(uriInfo).build(realm.getName()).toString();
         String grantUrl = TokenService.grantAccessTokenUrl(uriInfo).build(realm.getName()).toString();
-        String idGrantUrl = TokenService.grantIdentityTokenUrl(uriInfo).build(realm.getName()).toString();
 
         html.append("<html><body><h1>Realm: ").append(realm.getName()).append("</h1>");
         html.append("<p>auth: ").append(authUri).append("</p>");
         html.append("<p>code: ").append(codeUri).append("</p>");
         html.append("<p>grant: ").append(grantUrl).append("</p>");
-        html.append("<p>identity grant: ").append(idGrantUrl).append("</p>");
         html.append("<p>public key: ").append(realm.getPublicKeyPem()).append("</p>");
         html.append("</body></html>");
 
@@ -77,8 +75,6 @@ public class PublicRealmResource {
         rep.setAuthorizationUrl(TokenService.loginPageUrl(uriInfo).build(realm.getName()).toString());
         rep.setCodeUrl(TokenService.accessCodeToTokenUrl(uriInfo).build(realm.getName()).toString());
         rep.setGrantUrl(TokenService.grantAccessTokenUrl(uriInfo).build(realm.getName()).toString());
-        String idGrantUrl = TokenService.grantIdentityTokenUrl(uriInfo).build(realm.getName()).toString();
-        rep.setIdentityGrantUrl(idGrantUrl);
         return rep;
     }
 
diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java
index cf86534886..f38c985174 100755
--- a/services/src/main/java/org/keycloak/services/resources/TokenService.java
+++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java
@@ -29,6 +29,7 @@ import org.keycloak.services.resources.flows.OAuthFlows;
 import org.keycloak.services.validation.Validation;
 import org.keycloak.util.BasicAuthHelper;
 
+import javax.ws.rs.BadRequestException;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
 import javax.ws.rs.HeaderParam;
@@ -108,11 +109,6 @@ public class TokenService {
 
     }
 
-    public static UriBuilder grantIdentityTokenUrl(UriInfo uriInfo) {
-        return tokenServiceBaseUrl(uriInfo).path(TokenService.class, "grantIdentityToken");
-
-    }
-
     public static UriBuilder loginPageUrl(UriInfo uriInfo) {
         return tokenServiceBaseUrl(uriInfo).path(TokenService.class, "loginPage");
     }
@@ -129,45 +125,19 @@ public class TokenService {
         return tokenServiceBaseUrl(uriInfo).path(TokenService.class, "processOAuth");
     }
 
-    @Path("grants/identity-token")
-    @POST
-    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
-    @Produces(MediaType.APPLICATION_JSON)
-    public Response grantIdentityToken(final MultivaluedMap<String, String> form) {
-        if (!checkSsl()) {
-            throw new NotAcceptableException("HTTPS required");
-        }
-
-        String username = form.getFirst(AuthenticationManager.FORM_USERNAME);
-        if (username == null) {
-            throw new NotAuthorizedException("No user");
-        }
-        if (!realm.isEnabled()) {
-            throw new NotAuthorizedException("Disabled realm");
-        }
-        UserModel user = realm.getUser(username);
-
-        AuthenticationStatus status = authManager.authenticateForm(realm, user, form);
-        if (status != AuthenticationStatus.SUCCESS) {
-            throw new NotAuthorizedException(status);
-        }
-
-        tokenManager = new TokenManager();
-        AccessToken token = authManager.createIdentityToken(realm, user);
-        String encoded = tokenManager.encodeToken(realm, token);
-        AccessTokenResponse res = accessTokenResponse(token, encoded);
-        return Response.ok(res, MediaType.APPLICATION_JSON_TYPE).build();
-    }
-
     @Path("grants/access")
     @POST
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     @Produces(MediaType.APPLICATION_JSON)
-    public Response grantAccessToken(final MultivaluedMap<String, String> form) {
+    public Response grantAccessToken(final @HeaderParam(HttpHeaders.AUTHORIZATION) String authorizationHeader,
+                                     final MultivaluedMap<String, String> form) {
         if (!checkSsl()) {
             throw new NotAcceptableException("HTTPS required");
         }
 
+        UserModel client = authorizeClient(authorizationHeader);
+
+
         String username = form.getFirst(AuthenticationManager.FORM_USERNAME);
         if (username == null) {
             throw new NotAuthorizedException("No user");
@@ -185,7 +155,8 @@ public class TokenService {
         if (authManager.authenticateForm(realm, user, form) != AuthenticationStatus.SUCCESS) {
             throw new NotAuthorizedException("Auth failed");
         }
-        AccessToken token = tokenManager.createAccessToken(realm, user);
+        String scope = form.getFirst("scope");
+        AccessToken token = tokenManager.createClientAccessToken(scope, realm, client, user);
         String encoded = tokenManager.encodeToken(realm, token);
         AccessTokenResponse res = accessTokenResponse(token, encoded);
         return Response.ok(res, MediaType.APPLICATION_JSON_TYPE).build();
@@ -341,47 +312,14 @@ public class TokenService {
             throw new NotAuthorizedException("Realm not enabled");
         }
 
-        if (authorizationHeader == null) {
-            throw new NotAuthorizedException("No Authorization header to authenticate client", "Basic realm=\"" + realm.getName() + "\"");
-        }
-
-        String[] usernameSecret = BasicAuthHelper.parseHeader(authorizationHeader);
-        if (usernameSecret == null) {
-            throw new NotAuthorizedException("No Authorization header to authenticate client", "Basic realm=\"" + realm.getName() + "\"");
-        }
-
-        String client_id = usernameSecret[0];
-        String clientSecret = usernameSecret[1];
-        UserModel client = realm.getUser(client_id);
-        if (client == null) {
-            logger.debug("Could not find user");
-            Map<String, String> error = new HashMap<String, String>();
-            error.put("error", "invalid_client");
-            error.put("error_description", "Could not find user");
-            return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
-        }
-
-        if (!client.isEnabled()) {
-            logger.debug("user is not enabled");
-            Map<String, String> error = new HashMap<String, String>();
-            error.put("error", "invalid_client");
-            error.put("error_description", "User is not enabled");
-            return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
-        }
-
-        if (!realm.validateSecret(client, clientSecret)) {
-            Map<String, String> error = new HashMap<String, String>();
-            error.put("error", "unauthorized_client");
-            return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
-        }
+        UserModel client = authorizeClient(authorizationHeader);
 
         String code = formData.getFirst("code");
         if (code == null) {
-            logger.debug("code not specified");
             Map<String, String> error = new HashMap<String, String>();
             error.put("error", "invalid_request");
             error.put("error_description", "code not specified");
-            return Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build();
+            throw new BadRequestException("Code not specified", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
 
         }
 
@@ -435,6 +373,41 @@ public class TokenService {
         return Cors.add(request, Response.ok(res)).allowedOrigins(client).allowedMethods("POST").build();
     }
 
+    protected UserModel authorizeClient(String authorizationHeader) {
+        if (authorizationHeader == null) {
+            throw new NotAuthorizedException("No Authorization header to authenticate client", "Basic realm=\"" + realm.getName() + "\"");
+        }
+
+        String[] usernameSecret = BasicAuthHelper.parseHeader(authorizationHeader);
+        if (usernameSecret == null) {
+            throw new NotAuthorizedException("No Authorization header to authenticate client", "Basic realm=\"" + realm.getName() + "\"");
+        }
+
+        String client_id = usernameSecret[0];
+        String clientSecret = usernameSecret[1];
+        UserModel client = realm.getUser(client_id);
+        if (client == null) {
+            Map<String, String> error = new HashMap<String, String>();
+            error.put("error", "invalid_client");
+            error.put("error_description", "Could not find client");
+            throw new BadRequestException("Could not find client", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
+        }
+
+        if (!client.isEnabled()) {
+            Map<String, String> error = new HashMap<String, String>();
+            error.put("error", "invalid_client");
+            error.put("error_description", "Client is not enabled");
+            throw new BadRequestException("Client is not enabled", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
+        }
+
+        if (!realm.validateSecret(client, clientSecret)) {
+            Map<String, String> error = new HashMap<String, String>();
+            error.put("error", "unauthorized_client");
+            throw new BadRequestException("Unauthorized Client", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
+        }
+        return client;
+    }
+
     protected AccessTokenResponse accessTokenResponse(PrivateKey privateKey, AccessToken token) {
         String encodedToken = new JWSBuilder().jsonContent(token).rsa256(privateKey);
 
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java
index adc8bf54c9..720ea52e3f 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/composites/CompositeRoleTest.java
@@ -57,7 +57,7 @@ public class CompositeRoleTest {
             RealmModel realm = manager.createRealm("Test");
             manager.generateRealmKeys(realm);
             realmPublicKey = realm.getPublicKey();
-            realm.setTokenLifespan(10000);
+            realm.setAccessTokenLifespan(10000);
             realm.setAccessCodeLifespanUserAction(1000);
             realm.setAccessCodeLifespan(1000);
             realm.setSslNotRequired(true);
diff --git a/testsuite/integration/src/test/resources/testcomposite.json b/testsuite/integration/src/test/resources/testcomposite.json
index 19b662e9f5..cfdd2c73c5 100755
--- a/testsuite/integration/src/test/resources/testcomposite.json
+++ b/testsuite/integration/src/test/resources/testcomposite.json
@@ -2,7 +2,7 @@
     "id": "Test",
     "realm": "Test",
     "enabled": true,
-    "tokenLifespan": 600,
+    "accessTokenLifespan": 600,
     "accessCodeLifespan": 600,
     "accessCodeLifespanUserAction": 600,
     "sslNotRequired": true,
diff --git a/testsuite/integration/src/test/resources/testrealm.json b/testsuite/integration/src/test/resources/testrealm.json
index e040c2cd4b..72db7ca928 100755
--- a/testsuite/integration/src/test/resources/testrealm.json
+++ b/testsuite/integration/src/test/resources/testrealm.json
@@ -2,7 +2,7 @@
     "id": "test",
     "realm": "test",
     "enabled": true,
-    "tokenLifespan": 600,
+    "accessTokenLifespan": 600,
     "accessCodeLifespan": 600,
     "accessCodeLifespanUserAction": 600,
     "sslNotRequired": true,