Secure login on third-party website with openid-connect

Getting advice
1

Hi! I have the following use case:

Starting point:
Keycloak instance up and running, working fine with openid-connect and my SPA.

Target goal:
Providing a form inside an iframe to third parties, which should use bearer token to post content to my service.

Problem statement:
I do not want the third party websites to have a) access to user credentials b) the bearer token.

First naive approach:
1.) On third party website, load form inside iframe.
2.) Open pop-up with keycloak login, provide redirect_url to some first-party page.
3.) On successful login, close pop-up and return bearer token to the iframe (window.opener) on the third party website.
4.) Use bearer token to post to my service.

Doubts:
a) The process would not allow for token refreshs.
b) Are iframes secure enough to shield the bearer token from access by the parent, third party website?
c) Exposing a redirect target which returns a bearer token to the (any) window.opener seems crazy.

Questions:
1.) What is the best-practice way to authenticate inside an iframe on a third-party website without exposing neither credentials nor tokens?
2.) Do i have some grave errors in my thought process?

Thank you for your input!

2

IDP login in the iframe looks very fishy. IMHO all good IDPs blocks that in the default configuration. Whole design seems to be non-standard. I would stick with standard approach instead of hacking standards, which may be unstable work around.

3

Yes, this is why i asked here^
Please excuse my ignorance, but what is IDP an acronym for?

And most important: What is the standard approach to enable a secure login (inside an iframe) on a third party website? I would gladly stick to standard approaches if i was aware of them.

4

IDP = Identity Provider (it can be a Keycloak). Standard is not using any iframe. Otherwise it seems to be a technique used by bad guys - clickjacking.

5

As far as the clickjacking goes, this is correct if the keycloak login is embedded in an iframe. Which i neither did nor asked about. The whole point of using a popup is to avoid the clickjacking.