feat(docs): add keycloack example to oauth docs (#27425)

docs/docs/administration/oauth.md

@@ -14,6 +14,7 @@ Immich supports 3rd party authentication via [OpenID Connect][oidc] (OIDC), an i
 - [Authelia](https://www.authelia.com/integration/openid-connect/immich/)
 - [Okta](https://www.okta.com/openid-connect/)
 - [Google](https://developers.google.com/identity/openid-connect/openid-connect)
+- [Keycloak](https://www.keycloak.org)
 
 ## Prerequisites
 
@@ -253,4 +254,40 @@ Configuration of OAuth in Immich System Settings
 
 </details>
 
+<details>
+<summary>Keycloak Example</summary>
+
+### Keycloak Example
+
+Here's an example of OAuth configured for Keycloak:
+
+Create your immich client on your Keycloak Realm.
+
+<img src={require('./img/keycloak-general-settings.webp').default} width='100%' title="Keycloak Client general Settings" />
+<img src={require('./img/keycloak-access-settings.webp').default} width='100%' title="Keycloak Client Access Settings" />
+<img src={require('./img/keycloak-capability-config.webp').default} width='100%' title="Keycloak Client Capability Configuration" />
+
+Configuration of OAuth in Immich System Settings
+
+| Setting                      | Value                                                 |
+| ---------------------------- | ----------------------------------------------------- |
+| Issuer URL                   | `https://<KEYCLOAK_DOMAIN>/realms/<YOUR_REALM>`       |
+| Client ID                    | immich                                                |
+| Client Secret                | can be optained from Clients -> immich -> Credentials |
+| Scope                        | openid email profile                                  |
+| Signing Algorithm            | RS256                                                 |
+| Storage Label Claim          | preferred_username                                    |
+| Role Claim                   | immich_role                                           |
+| Storage Quota Claim          | immich_quota                                          |
+| Default Storage Quota (GiB)  | 0 (empty for unlimited quota)                         |
+| Button Text                  | Sign in with Keycloak (recommended)                   |
+| Auto Register                | Enabled (optional)                                    |
+| Auto Launch                  | Enabled (optional)                                    |
+| Mobile Redirect URI Override | Disabled                                              |
+| Mobile Redirect URI          |                                                       |
+
+Role Claim can be managed via Client Role. Remember to create a mapper with claim name `immich_role`.
+
+</details>
+
 [oidc]: https://openid.net/connect/