Making sure public clients can RPT tokens

Closes keycloak#14165

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java

@@ -2021,6 +2021,32 @@ public void testProcessMappersForTargetAudience() throws Exception {
         assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
     }
 
+    @Test
+    public void testRefreshTokenFromClientOtherThanAudience() throws Exception {
+        oauth.realm("authz-test");
+        oauth.clientId(PUBLIC_TEST_CLIENT);
+        oauth.doLogin("marta", "password");
+        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
+        OAuthClient.AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(code, null);
+        assertNotNull(accessTokenResponse.getAccessToken());
+        assertNotNull(accessTokenResponse.getRefreshToken());
+
+        AuthorizationRequest request = new AuthorizationRequest();
+        request.setAudience(RESOURCE_SERVER_TEST);
+        AuthorizationResponse authorizationResponse = getAuthzClient(PUBLIC_TEST_CLIENT_CONFIG).authorization(accessTokenResponse.getAccessToken()).authorize(request);
+        AccessToken token = toAccessToken(authorizationResponse.getToken());
+        assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
+        assertEquals(RESOURCE_SERVER_TEST, token.getAudience()[0]);
+        assertFalse(token.getAuthorization().getPermissions().isEmpty());
+
+        accessTokenResponse = oauth.doRefreshTokenRequest(authorizationResponse.getRefreshToken(), null);
+        assertNotNull(accessTokenResponse.getAccessToken());
+        assertNotNull(accessTokenResponse.getRefreshToken());
+        token = toAccessToken(authorizationResponse.getToken());
+        assertEquals(PUBLIC_TEST_CLIENT, token.getIssuedFor());
+        assertFalse(token.getAuthorization().getPermissions().isEmpty());
+    }
+
     @Test
     public void testUsingExpiredToken() throws Exception {
         ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);