Hi @lou,

I was unable to replicate this issue. I'm using 1.47.1.

I used the login API for simplicity. I set up an application to Generate Refresh Tokens and Enable JWT refresh on the Security tag.

I set up that application up with three roles, and a group with one of those roles. I then assigned a user to that group.

I called the Login API and got back a refresh token as well as an access token. I examined the access token and saw the expected one role.

I then added another role to group. Then I called the /api/jwt/refresh endpoint and looked at the resulting access token. That access token had 2 roles now.

Here are the two requests:

curl -H 'Authorization: bf69486b-4733-4470-a592-f1bfce7af580' http://localhost:9011/api/login -d '{"applicationId":"85a03867-dccf-4882-adde-1a79aeec50df","loginId":"admin@example.com","password":"password"}' -H 'Content-type: application/json' curl -H 'Authorization: bf69486b-4733-4470-a592-f1bfce7af580' http://localhost:9011/api/jwt/refresh -d '{"refreshToken": "fYFIudBHGFJMsBrmufiTJjvczKYkq6BvNTn3B6oIKRvXn4mJd4NQdA"}' -H 'Content-type: application/json'

A few more questions to see if we can track down this behavior:

What version of FusionAuth are you running? Can you provide more detailed recreate steps? Did you use the authorization code grant? Did you do something else between the initial login and the token refresh? How did you update the group role setting? How many nodes of FusionAuth are you running?

Thanks,
Dan