The current keycloak is designed to run in containers. You take the image from redhat and provision what you need and then you have the image that can be easily used in multiple instances.
I'd make it a pluggable middleware with a document on how to implement your own and provide a reference configuration that uses something like Vouch [0] which will redirect the user to another identity provider.
You could also provide another implementation that implements Cloudflare's zero trust authentication [1].
In other words, I don't think I'd want to actually take responsibility for authentication these days and use an authenticating proxy. The less security infrastructure you have, the less there is to go out of date.
You can always start with this approach and then implement your own built-in user directory later.
If I wasn't using a framework that shipped with it already (like django), I would pick an authentication method that worked for what I am making. I would look for a well reviewed library in the language I am writing for both client and server.
You should consider HTTP Basic Auth. It’s a quick path to “good enough” and you can iterate to something better later. You can read more about why I started using it for my side projects on my blog post below.
I did it in the most basic way, I just store a cookie in PHP. I want to improve it a bit, by using session tokens (so you can get a unique token per device, and can revoke access if needed).