KEYCLOAK-5280 (#4576)

services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java

@@ -309,6 +309,10 @@ public RefreshToken verifyRefreshToken(KeycloakSession session, RealmModel realm
         try {
             RefreshToken refreshToken = toRefreshToken(session, realm, encodedRefreshToken);
 
+            if (!(TokenUtil.TOKEN_TYPE_REFRESH.equals(refreshToken.getType()) || TokenUtil.TOKEN_TYPE_OFFLINE.equals(refreshToken.getType()))) {
+                throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token");
+            }
+
             if (checkExpiration) {
                 if (refreshToken.getExpiration() != 0 && refreshToken.isExpired()) {
                     throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Refresh token expired");

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java

@@ -192,6 +192,19 @@ public void refreshTokenRequest() throws Exception {
 
         setTimeOffset(0);
     }
+    @Test
+    public void refreshTokenWithAccessToken() throws Exception {
+        oauth.doLogin("test-user@localhost", "password");
+
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+
+        OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
+        String accessTokenString = tokenResponse.getAccessToken();
+
+        OAuthClient.AccessTokenResponse response = oauth.doRefreshTokenRequest(accessTokenString, "password");
+
+        Assert.assertNotEquals(200, response.getStatusCode());
+    }
 
     @Test
     public void refreshTokenReuseTokenWithoutRefreshTokensRevoked() throws Exception {