Assistance required with Custom Authentication Service redirection for Keycloak OIDC integration

We are implementing a Single Sign-On (SSO) integration between Pega and Keycloak. Due to specific architectural requirements, we are using an Authentication Service of type “Custom” rather than the standard “OpenID Connect” type.

Our service is configured with a custom authentication activity named CustomJWTSSO. However, when accessing the login URL (.../prweb/PRAuth/TestSSO), the browser displays the standard Pega Login screen instead of redirecting the user to the Keycloak authorization endpoint.

We require technical guidance on the following:

1. The Challenge Phase: What is the recommended Pega pattern/method (e.g., Redirect-URL) to programmatically trigger the redirect to the Keycloak Auth URL within the custom activity when no authorization code is present?

2. Token Exchange: Best practices for handling the subsequent back-channel Connect-REST call to the Keycloak /token endpoint to exchange the code for a JWT.

3. JWT Validation: How to properly invoke a Token Profile and Keystore within the custom activity to verify the Keycloak signature

To fix the redirection issue, use the Redirect-URL method in your CustomJWTSSO activity to send users to the Keycloak authorization endpoint when no code is present. Construct the full Keycloak URL with your client credentials and call this method to bypass the default Pega login screen. Once Keycloak sends the user back with an authorization code, use a Connect-REST rule to exchange that code for a JWT at the Keycloak token endpoint. Finally, verify the token’s signature by calling the pyValidateToken activity, which uses your defined Token Profile and Keystore. This integrated flow ensures the browser redirects correctly and validates the identity of the user securely.