Risks of using refresh token in the browser.
Attacker captured an refresh token and using that refresh token the attacker send request that uses the refresh_token grant_type can and getting new access token and new refresh token in response, The attacker can keep replaying that request and to generate new access tokens and refresh tokens indefinitely.
we are using keycloak version 6.0.0.