If no additional scopes are set, the refreshToken method will add an empty scope= parameter to the token endpoint url. Unfortunately, our Keycloak instance only accepts it as optional if not set. Sending a refresh request with scope= will return an "invalid_scope" error.