I've successfully implemented what you wanted to achieve by legeraging both PAM and NSS module (this is fundamental in order to not hitting no passwd entry errors) against proxy and Keycloak instance

You might want to take a look to what I've done in this reddit post:

Integrating Keycloak with SSH: Real-Time Permissions, WebAuthn/FIDO2/TOTP MFA, External IdP Onboarding & More

Have a nice day!