I use a similar setup, but for anyone following this guide i would not recommend hosting your custom oidc server behind the same tailnet it authorizes.

Any configuration issues will lock you out entirely and you will need to have tailscale support re-enable an oauth provider and its not reversible.

I use an oauth provider to log in to tailscale and keycloak internally as an oidc provider for service to service auth.