during developing with the keycloak admin REST API, I figured out that a call to
(refresh token way) with an expired/invalid refresh token provide a 400 Error.
But, the RFC 6750 for The OAuth 2.0 Authorization Framework: Bearer Token Usage specified:
The access token provided is expired, revoked, malformed, or
invalid for other reasons. The resource SHOULD respond with
the HTTP 401 (Unauthorized) status code. The client MAY
request a new access token and retry the protected resource
Why do the choice to return a 400 Http error ? Even if you give more context informations with the error message, returning a 400 error means something completly different than a 401 and I think it add more confusion about errors