Yeah, ROPC is outdated and not recommended — no MFA, no SSO, and hard to switch IdPs later.

Use Authorization Code Flow with PKCE instead. It supports MFA/SSO and gives you refresh tokens if you request the offline_access scope.

In Keycloak, enable this by assigning the offline_access role to users (or include it in the realm’s default roles).

Then, in the /auth request, include offline_access in the scope.

When you exchange the auth code at /token, you'll get an offline_token instead of a standard refresh token.

This lets you use Keycloak’s login page, so you can enable MFA, SSO, or whatever else you need.

Much safer, future-proof, and fully standard.