Using pam to authenticate a machine against a keycloak instance

Question

I have a setup where I have a web application which can provision and launch machines inside a tenant private network based on some criteria. The web application also allows me to create users and have them log in. This is basic CRUD. However, I would like people to log in on the web portal and the provisioned machines with the same credentials. This is my problem. In the future, I would also like the authentication and user management to happen via. an LDAP server that will be hosted by the tenant which this application I'm talking about will talk to. However, that's not the topic of this question.

My current solution is to use keycloak so that the web application can authenticate against that. This part works fairly well. The web app can create users, authenticate against it etc. I was planning to have the provisioned machines also authenticate against the keycloak instance using some kind of PAM module. This seems to make sense. I used an AI to try to create a solution and it suggested using pam_script to call an external script to speak to keycloak and perform the authentication. The logic of the script seems to work. It can authenticate but I think the calling convention between PAM and the script is broken or something else is wrong and it doesn't work. With existing users on the machine (those with an entries in the passwd file), it just hangs (but I can verify the script is called). With users that don't have a passwd entry, I get just get a message that says "No passwd entry" and aborts. I would like it to authenticate against keycloak and then have it create a local user automatically.

Two questions.

1. Is the Keycloak approach a good solution for my original problem
2. How can I get this to work?