Would also need to make sure this feature is implemented as well: icatproject/topcat#480

Regarding your request for more information on what is required, I can briefly sketch how I enable that with TopCAT in my test environment:

Prerequisite: I have Payara with all ICAT components behind an Apache reverse proxy (I have that anyway, also in the production environment without OIDC). The proxy has one virtual host section dedicated for TopCAT.

• I use mod_auth_openidc in the Apache proxy to manage the OIDC protocol and all communication with Keycloak.
• In the local URL path tree, I dedicate one branch /auth/ to mod_auth_openidc that is excluded from being proxied:

    <Location /auth/>
    	ProxyPass !
    	AuthType openid-connect
    	Require valid-user
    </Location>
  

  As a result, all requests in /auth/* will require prior authentication with Keycloak. (I checked that TopCAT does not use itself any URL within that branch.)
• I put a very simple Python web service script at /auth/login. Since this is in /auth/*, mod_auth_openidc will care to log the user in with Keycloak before the script is called. The script takes the access token from the request environment and uses that to log into ICAT with authn.oidc. It then returns a tiny webpage containing JavaScript to put the session id and related information into the browser's session storage and to redirect to TopCAT.
• Since TopCAT finds the session id in the session storage, it considers the user to be logged in and doesn't request any further login itself.
• In topcat.json I add the following to add a corresponding button on the login page:

  "extraLoginButtons": [
      {
          "title": "Login with SSO",
          "url": "https://topcat.example.org/auth/login"
      }
  ],
  

As pointed out, it requires the reverse proxy in the first place, which may not be an option for everyone. But if you already have that anyway, I would consider this approach using mod_auth_openidc as the best option.

Drawback with TopCAT: this doesn't cover logout. There is no way for the proxy to intercept the click on Logout as it points to a fragment URL that is handled locally with JavaScript in the user's browser and doesn't go trough the proxy.