Adding Claims in Refresh Token is not supported in Keycloak ?

[pranavsurwade]

As we know that Keycloak doesn't provide any way to add claims for refresh token, we can only add claims in access token, which results in lack of security issue as using refresh token of another user, one can get access to all API. I better approach to solve it is to add claims in refresh token and enhance security.

[jbman]

A refresh token should be bound to the user for which it was issued. And it is not intended to provide any claims which evaluated by a resource server (API).

RFC 6749, Section1.5

Refresh tokens [...] are used to obtain a new access token or to obtain additional access tokens
with identical or narrower scope (access tokens may have a shorter
lifetime and fewer permissions than authorized by the resource
owner). [...]. Unlike access tokens, refresh tokens are
intended for use only with authorization servers and are never sent
to resource servers.

How could you use a refresh token to get an access token for a different user?

[pranavsurwade]

What approach could be used to bound refresh token to a particular user ?
What we can do to stop the exploitation of refresh token, if it get's used by another user .

[jbman]

This is nothing you need to worry about. A refresh token can not be used to get an access token for a different user. It's only purpose is to get a fresh access token for the same recource owner (user) as in the access token which was handed out together with the refresh token.

You did not provide any scenario where a refresh token is used for an exploit.