Refresh token security threat

Risks of using refresh token in the browser.

Attacker captured an refresh token and using that refresh token the attacker send request that uses the refresh_token grant_type can and getting new access token and new refresh token in response, The attacker can keep replaying that request and to generate new access tokens and refresh tokens indefinitely.

we are using keycloak version 6.0.0.

Is there a question? Are you trying to mitigate the risk you posted?

Try taking a look at “Implicit flow” Securing Applications and Services Guide

To make a successful refresh request the attacker should also know the client id and client secret.