[Using open-balena-api] as an oidc identity provider for Keycloak would be great because then you could have nodes talk directly to services like Elasticsearch or s3 who accept oidc without having to build a middle layer to authenticate balena devices.