feat(idp): add keycloak-first support with authentik fallback

.env.production.example

@@ -19,5 +19,20 @@ AUTHENTIK_CLIENT_SECRET=
 AUTHENTIK_TOKEN_ENDPOINT=
 AUTHENTIK_USERINFO_ENDPOINT=
 
+# Keycloak (preferred when KEYCLOAK_BASE_URL + KEYCLOAK_REALM are set)
+KEYCLOAK_BASE_URL=
+KEYCLOAK_REALM=
+KEYCLOAK_VERIFY_TLS=true
+KEYCLOAK_ISSUER=
+KEYCLOAK_JWKS_URL=
+KEYCLOAK_AUDIENCE=
+KEYCLOAK_CLIENT_ID=
+KEYCLOAK_CLIENT_SECRET=
+KEYCLOAK_TOKEN_ENDPOINT=
+KEYCLOAK_USERINFO_ENDPOINT=
+KEYCLOAK_ADMIN_CLIENT_ID=
+KEYCLOAK_ADMIN_CLIENT_SECRET=
+KEYCLOAK_ADMIN_REALM=
+
 PUBLIC_FRONTEND_ORIGINS=https://member.ose.tw,https://mkt.ose.tw,https://admin.ose.tw
 INTERNAL_SHARED_SECRET=CHANGE_ME