After further testing, this feature now works, but comes with a major caveat. Especially with how logout is currently implemented. A website using this feature will be essentially unusable in modern Safari and other browers blocking 3rd party cookies. If 3rd party cookies are blocked, the functionality of the Keycloak iframe is broken. This leads to this module's javascript logging a user out immediately in affected browsers.
After testing and plenty of annoying debugging, I submitted a second MR. It attempts to fix with the next issue I had with this feature. It seems like the JS library was served with a stale session ID. This lead to the user being logged out immediately after logging in on their 2nd and later visits, until the cache was cleared. I fixed this by adding a context for session so Drupal invalidates the page cache.
profi248 → created an issue.
MR144 works for me in resolving the "non-existent service" service error with the keycloak module.
@joseph.olstad thanks for the reply.
This patch to openid_connect didn't apply for me, so I tried using MR144 from https://www.drupal.org/project/openid_connect/issues/3462532 📌 Create and utilise autowiring aliases for OpenID Connect Active instead. That, along with MR43 patch to keycloak did indeed fix the redirect problem, even on alpha6.
I also had to reinstall my local dev site after database migrations didn't work, but that seems to be a problem of me doing this on the same install before. When I started with a fresh install on keycloak 1.8.0 and openid_connect 1.4.0 and then ran the migrations, there were no issues.
Redirect seems to work properly for me with openid_connect 3.0.0-alpha5. But with the new alpha6 that came out in the meantime, I'm getting a new error: You have requested a non-existent service "openid_connect.openid_connect".