diff --git a/app/models/oauth2_token.go b/app/models/oauth2_token.go
index 116b9be5..32f3d722 100644
--- a/app/models/oauth2_token.go
+++ b/app/models/oauth2_token.go
@@ -1,14 +1,37 @@
 package models
 
+import (
+	"database/sql/driver"
+	"encoding/json"
+	"errors"
+)
+
 type Oauth2Token struct {
-	UserID           string `json:"user_id"`
-	TokenType        string `json:"token_type"`
-	AccessToken      string `json:"access_token"`
-	RefreshToken     string `json:"refresh_token"`
-	ExpiresIn        int    `json:"expires_in"`
-	RefreshExpiresIn int    `json:"refresh_expires_in"`
+	UserID           string   `json:"user_id"`
+	TokenType        string   `json:"token_type"`
+	AccessToken      string   `json:"access_token"`
+	RefreshToken     string   `json:"refresh_token"`
+	ExpiresIn        int      `json:"expires_in"`
+	RefreshExpiresIn int      `json:"refresh_expires_in"`
+	Permissions      StrArray `json:"permissions" gorm:"type:jsonb;index,type:gin"`
 }
 
 func (Oauth2Token) TableName() string {
 	return "oauth2_tokens"
 }
+
+type StrArray []string
+
+// Value Marshal
+func (a StrArray) Value() (driver.Value, error) {
+	return json.Marshal(a)
+}
+
+// Scan Unmarshal
+func (a *StrArray) Scan(value interface{}) error {
+	b, ok := value.([]byte)
+	if !ok {
+		return errors.New("type assertion to []byte failed")
+	}
+	return json.Unmarshal(b, &a)
+}
diff --git a/internal/auth/keycloak.go b/internal/auth/keycloak.go
index 746f0a6c..6d53286a 100644
--- a/internal/auth/keycloak.go
+++ b/internal/auth/keycloak.go
@@ -47,19 +47,17 @@ func RefreshTokenIfNecessary(user_id string) error {
 		keycloak.Ctx = context.Background()
 	}
 
-	rptResult, err := keycloak.Client.RetrospectToken(
+	result, _, err := keycloak.Client.DecodeAccessToken(
 		keycloak.Ctx,
-		token.RefreshToken,
-		helpers.Env("KEYCLOAK_CLIENT_ID", ""),
-		helpers.Env("KEYCLOAK_CLIENT_SECRET", ""),
+		token.AccessToken,
 		helpers.Env("KEYCLOAK_REALM", ""),
 	)
 
 	if err != nil {
-		return errors.New("an error occured while retrospecting token")
+		return errors.New("an error occured while validating token")
 	}
 
-	if !*rptResult.Active {
+	if !result.Valid {
 		err := RefreshToken(token)
 		if err != nil {
 			return err
diff --git a/internal/liman/role_system.go b/internal/liman/role_system.go
index b0400ed5..bf397eff 100644
--- a/internal/liman/role_system.go
+++ b/internal/liman/role_system.go
@@ -30,6 +30,15 @@ func GetPermissions(user *models.User, extFilter string) ([]string, map[string]s
 		variables = helpers.MergeStringMaps(variables, variable)
 	}
 
+	if user.AuthType == "keycloak" {
+		token := &models.Oauth2Token{}
+		database.Connection().First(&token, "user_id = ?", user.ID)
+
+		if token.UserID != "" {
+			permissions = append(permissions, token.Permissions...)
+		}
+	}
+
 	return permissions, variables, nil
 }