From 234b7a06a171f83e3cd6d7a0f17c3597212122cb Mon Sep 17 00:00:00 2001
From: Pedro Igor <pigor.craveiro@gmail.com>
Date: Thu, 1 Nov 2018 13:10:09 -0300
Subject: [PATCH] [KEYCLOAK-7798] - Spring security adapter does not renew
 expired tokens

---
 .../filter/KeycloakSecurityContextRequestFilter.java            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakSecurityContextRequestFilter.java b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakSecurityContextRequestFilter.java
index 3a937168c7..c0082579c8 100644
--- a/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakSecurityContextRequestFilter.java
+++ b/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/KeycloakSecurityContextRequestFilter.java
@@ -63,7 +63,7 @@ public class KeycloakSecurityContextRequestFilter extends GenericFilterBean impl
             RefreshableKeycloakSecurityContext refreshableSecurityContext = (RefreshableKeycloakSecurityContext) keycloakSecurityContext;
             KeycloakDeployment deployment = resolveDeployment(request, response);
 
-            if (deployment.isAlwaysRefreshToken()) {
+            if (!refreshableSecurityContext.isActive() || deployment.isAlwaysRefreshToken()) {
                 if (refreshableSecurityContext.refreshExpiredToken(false)) {
                     request.setAttribute(KeycloakSecurityContext.class.getName(), refreshableSecurityContext);
                 } else {