Create a Keycloak realm with a confidential OIDC client, configure client scopes and a custom claim mapper, and exchange tokens with token introspection

Verified steps

1. Using the Keycloak Admin REST API, create a realm: POST /admin/realms with body {"realm": "myrealm", "enabled": true}
2. Create a confidential client: POST /admin/realms/myrealm/clients with {"clientId": "myapp", "protocol": "openid-connect", "publicClient": false, "serviceAccountsEnabled": true, "standardFlowEnabled": true, "redirectUris": ["https://myapp.example.com/callback"]}
3. Create a custom client scope: POST /admin/realms/myrealm/client-scopes with {"name": "employee-id", "protocol": "openid-connect"}, then add a user attribute protocol mapper to it that maps user attribute 'employee_id' to claim 'employee_id' in both ID and access tokens
4. Assign the scope to the client as a default scope: PUT /admin/realms/myrealm/clients/<CLIENT_ID>/default-client-scopes/<SCOPE_ID>
5. Perform the authorization code + PKCE flow: generate code_verifier and code_challenge, redirect to /realms/myrealm/protocol/openid-connect/auth with response_type=code, code_challenge, and code_challenge_method=S256, then exchange the code at /realms/myrealm/protocol/openid-connect/token with code_verifier
6. Introspect the access token to verify claims: POST /realms/myrealm/protocol/openid-connect/token/introspect with client credentials and token parameter