Sonarr and Radarr is more often then not, without any authentication.
This can be dangerous when you publish CNAME records (not on cloudflare proxied).

If we want to support any sort of authentication we have to hardcode our user/pass in the browser URL which over http is also very insecure.

With keycloak the app would be able to authenticate against the proxy and redirect you to the proper url with api credentials.
These would have to be setup on the keycloak server.

client_secret -> automatically generated by keycloak

What do you think?