Svelte-kit and Keycloak OIDC

There’s NextAuth.js from vercel, which was made for next.js

Recently it was adapted for svelte-kit.

The announcement post:
https://vercel.com/blog/announcing-sveltekit-auth

The keycloak provider doc:
https://next-auth.js.org/providers/keycloak

The example repository:
https://github.com/nextauthjs/sveltekit-auth-example

Well it does work, on first sight. Sign in, Sign out, requiring auth for pages, it all works.
However you need a confidential client.
And this token then isn’t compatible with the server side API (RESTful/GraphQL) which expects a non-confidential client.
Also it doesn’t use the SignIn page from the keycloak server, but its own “sign in with keycloak” page.
Roles are not present and no documentation about how to change the scope.
Yes, it can probably be adjusted, but it’s not documented.

Why does Svelte not have a SPA mode?
Why do I have to write a SSR/universal “app” when using Svelte?