Mostly posting this for the search. The explanation and solution is in https://forum.opnsense.org/index.php?topic=51150
If you have a setup where you use OIDC and your web GUI is behind Caddy reverse proxy, the upstream change to Caddy will break OIDC because the OIDC provider will see the redirect_uri as being https://localhost:8443/api/oidc/rp/finalize/Keycloak which is obviously invalid.
Adding the {host} header fixes it.
Services: Caddy: Reverse Proxy -> 'Headers' tab and add the header per the linked post.
Services: Caddy: Reverse Proxy -> 'Handlers' tab, edit your reverse proxy handler, go to Transport > HTTP Headers and select your custom header from the dropdown.