Keycloak redirect URIs in OIDC client can be without schema. Denylist schemas are only 'data' and 'javascript'.

OIDC Authentication Request specification states about redirect_uri:

Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.

This is enhanced by OAuth 2.0 Security Best Current Practice.

Taking all these into account we want to ask :

• Why does Keycloak accept redirect URIs without schema?
• Why do you accept wildcards in redirect URIs? This is risky - bad practice. See Insufficient redirect URI validation. Could at least this be a realm configuration ( do not accept wildcards for this realm)?
• Do you consider supporting two client categories ( web and native)? As you can see from OIDC specification and best practices web redirect URIs are more strict in validation.