The current Keycloak authentication provider serves no real purpose as it has less features than the generic OpenID Connect option and is not really easier to configure. I recommend deprecating it to avoid confusion and to lower maintenance. Another option would be to use the same implementation internally and to just offer an easier configuration page (Base URL + Realm name instead of setting all endpoints manually).