diff --git a/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java
index 1f801aa..cb06ca1 100644
--- a/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java
+++ b/src/main/java/org/gcube/common/keycloak/DefaultKeycloakClient.java
@@ -216,6 +216,16 @@ public class DefaultKeycloakClient implements KeycloakClient {
         return refreshToken(tokenURL, clientId, clientSecret, tokenResponse.getRefreshToken());
     }
 
+    @Override
+    public TokenResponse refreshToken(String refreshTokenJWTString) throws KeycloakClientException {
+        try {
+            String clientId = ModelUtils.getClientIdFromToken(ModelUtils.getRefreshTokenFrom(refreshTokenJWTString));
+            return refreshToken(clientId, refreshTokenJWTString);
+        } catch (Exception e) {
+            throw new KeycloakClientException("Cannot construct access token object from token response", e);
+        }
+    }
+
     @Override
     public TokenResponse refreshToken(String clientId, String refreshTokenJWTString) throws KeycloakClientException {
         return refreshToken(clientId, null, refreshTokenJWTString);
diff --git a/src/main/java/org/gcube/common/keycloak/KeycloakClient.java b/src/main/java/org/gcube/common/keycloak/KeycloakClient.java
index a0a10e6..ba8a3e2 100644
--- a/src/main/java/org/gcube/common/keycloak/KeycloakClient.java
+++ b/src/main/java/org/gcube/common/keycloak/KeycloakClient.java
@@ -148,6 +148,18 @@ public interface KeycloakClient {
     TokenResponse refreshToken(URL tokenURL, String clientId, String clientSecret, TokenResponse tokenResponse)
             throws KeycloakClientException;
 
+    /**
+     * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the  the refresh token JWT encoded string obtained with the access token in the previous token response.
+     * 
+     * Client id will be read from "issued for" refresh token's claim and client secret will be not sent.
+     * <br><b>NOTE</b>: For <code>public</code> clients types only.
+     * 
+     * @param refreshTokenJWTString the previously issued refresh token JWT string taken from the same token response of the access token parameter
+     * @return the refreshed token as {@link TokenResponse} object
+     * @throws KeycloakClientException if something goes wrong performing the refresh query
+     */
+    TokenResponse refreshToken(String refreshTokenJWTString) throws KeycloakClientException;
+
     /**
      * Refreshes a previously issued token from the Keycloak server discovered in the current scope using the provided
      * client id and the refresh token JWT encoded string obtained with the access token in the previous token response.