A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
Trusted Hosts Policy could be used to mitigate this attack :
<https://www.keycloak.org/docs/latest/securing_apps/index.html#client-registration-policies>