Update keycloak-setup.md for Keycloak > 18 (#45)

### Proposed changes

Problem: To configure OpenID Connect with Keycloak for NIM
authentication, there are new instructions for Keycloak >18 due to UI
changes on the latest version.

Solution:  We added those new steps in the documentation. 

Testing: Instructions validated and tested by dev and qe

### Checklist

Before creating a PR, run through this checklist and mark each as
complete.

- [ ] I have read the [contributing guidelines](/CONTRIBUTING.md)
- [ ] I have signed the [F5 Contributor License Agreement
(CLA)](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md)
- [ ] If applicable, I have added tests that prove my fix is effective
or that my feature works
- [ ] If applicable, I have checked that any relevant tests pass after
adding my changes
- [ ] I have updated any relevant documentation
([`README.md`](/README.md) and [`CHANGELOG.md`](/CHANGELOG.md))
- [ ] I have rebased my branch onto main
- [ ] I will ensure my PR is targeting the main branch and pulling from
my branch from my own fork
- [ ] If the change involves:
  - Code
  - Anything that resembles Personally identifying information (PII)
    - Make sure to use placeholders such as `<username>` in place of PII
- URLs (watch for
[typosquatting](https://support.microsoft.com/en-us/topic/what-is-typosquatting-54a18872-8459-4d47-b3e3-d84d9a362eb0))
  - Significant new/revised content
    
In these cases, the change will require at least two (2) approvals
before merging

Author: travisamartin

content/nim/admin-guide/authentication/oidc/keycloak-setup.md

@@ -47,8 +47,19 @@ Follow these steps to configure Keycloak.
 
 After the client is created, configure it as follows:
 
-1. On the **Settings** tab, in the **Access Type** list, select **confidential**.
-2. On the **Mappers** tab, select **Add Builtin**, and select **groups**. This exports the user's Keycloak Realm Role information for NGINX Instance Manager to use.
+#### For Keycloak versions earlier than 18.x
+
+1. On the **Settings** tab, set **Access Type** to **confidential**.
+2. On the **Mappers** tab, select **Add Builtin** and choose **groups** to export Keycloak Realm Role information for NGINX Instance Manager.
+
+#### For Keycloak versions 18.x and later
+
+1. On the **Settings** tab, under **Capability config**, enable **Client authentication**.
+2. In the **Authentication flow** section, enable **Direct Access Grants** and **Service Account**.
+3. Go to the **Client Scopes** tab.
+   - Select the scope named **<client_name>-dedicated (nim-dedicated)**.
+   - On the **Mappers** tab, click **Configure new Mapper** and choose **From predefined mappers**.
+   - Search for **groups** and select **Add groups mapper**.
 
 ### Create Keycloak Roles
 
@@ -119,6 +130,8 @@ To configure NGINX Instance Manager with the necessary OIDC settings, follow the
 
 - Export the environment variables:
 
+  - **For Keycloak versions earlier than 18.x**:
+
     ```bash
     # Either the FQDN or the IP address is suitable for these environment variables.
     export KEYCLOAK_IP="<insert-keycloak-IP>"
@@ -134,6 +147,31 @@ To configure NGINX Instance Manager with the necessary OIDC settings, follow the
     export KEYCLOAK_KEYS_ENDPOINT=$(curl -k "https://$KEYCLOAK_IP:8443/auth/realms/<realm-name>/.well-known/openid-configuration" | jq -r ".jwks_uri")
     ```
 
+  - **For Keycloak versions 18.x and later**:
+
+    ```bash
+    # Either the FQDN or the IP address is suitable for these environment variables.
+    export KEYCLOAK_IP="<insert-keycloak-IP>"
+    export NIM_IP="<insert-NIM-IP>"
+    export KEYCLOAK_CLIENT_ID="<insert-keycloak-client-id>"
+    export KEYCLOAK_CLIENT_SECRET="<insert-kecloak-client-secret>"
+
+    # Choose an appropriate Hash-Based Message Authentication Code (HMAC)
+    export HMAC_KEY="<insert-HMAC>"
+
+    export KEYCLOAK_AUTH_ENDPOINT=$(curl -k \
+      "https://$KEYCLOAK_IP:8443/realms/<realm-name>/.well-known/openid-configuration" | \
+      jq -r ".authorization_endpoint")
+
+    export KEYCLOAK_TOKEN_ENDPOINT=$(curl -k \
+      "https://$KEYCLOAK_IP:8443/realms/<realm-name>/.well-known/openid-configuration" | \
+      jq -r ".token_endpoint")
+
+    export KEYCLOAK_KEYS_ENDPOINT=$(curl -k \
+      "https://$KEYCLOAK_IP:8443/realms/<realm-name>/.well-known/openid-configuration" | \
+      jq -r ".jwks_uri")
+    ```
+    
 - Back up the original configuration files:
 
     ```bash