If we are directly configuring KeyCloak with APIM, there are concerns:

Default implementation is handling the OIDC response received from IS and based on that do certain validation.

Further, in order to login to Store, the user should have certain permissions. These role mapping are added when the user provision happens during authentication with KeyCloak. If we are directly communicating with KeyCloak, these role mapping is not possible.

Considering these facts, configuring IS as KM leads this integration smoothly.