Keycloak: Refresh Token Automatic Reuse Detection [closed]

Question

We are using Keycloak for authentication (OIDC):

• the user input his Username/Password and enter the Frontend Browser page (Client)
• Rest API calls to the Backend (Server) has the Bearer Token (= access token) in the Header
• calls are queued in RabbitMq
• after a long running task the stored Bearer token from the next running task is already expired and has to be renewed by a Refresh Token

Now the scenario: someone is able to steal the Refresh Token and get always new valid access tokens. Keycloak should recognize this by "Automatic Reuse Detection" and requires re-authentication to prevent this!

We tried this out in Postman and were able to use the same Refresh Token on both sides (different Clients in the same Network) several times without any problems.

An other possibility would be to use Revoke Refresh Token to ON and Refresh Token Max Reuse to 0. But then it is not ensured that the valid user is still able to authenticate because of race condition with malicious users:

1. The Attacker uses the Refresh Token before the valid user
2. the Refresh Token becoming invalid for the valid user due Revoke Refresh Token

What are the best practicies here? Any kind of help is very appreciated!