When testing sign in using OIDC authentication provider with Keycloak (following existing instructions for v1.1) I noticed the metadataUrl pattern in the second snippet code (step 11 of 10.2 paragraph) is misleading: 
building the url as such 
metadataUrl: ${KEYCLOAK_BASE_URL}/auth/realms/${KEYCLOAK_REALM}
will generate an error; the correct one (at least for latest keycloak version 25) is
metadataUrl: ${KEYCLOAK_BASE_URL}/realms/${KEYCLOAK_REALM}
(notice the /auth/ no longer there).
Maybe it could be more helpful to just say to grab the url from the realm settings to avoid confusion (in Keycloack, Select your Realm -> Realm Settings -> General -> Endpoints).
Full up to date instructions from Backstage docs here.
As a plus, it can also be helpful to specify that your user will be validated against an existing entity in the catalog (following the resolver rules specified) or login will not succeed.