Best practices exposing id providers endpoints

Hi!

I am implementing the complete authorization and authentication flow using keycloak as identity provider and oauth2.

I have some questions that I would like to share with you in order to get more opinions and find the best solution.

My infrastructure basically has:

LB >> WAF >> API GATEWAY >> IDENTITY PROVIDER >> SERVICES

My questions relate mainly to exposing Keycloak endpoints publicly for authentication.

For example: It’s a good practice to expose the Identity provider after WAF? (Following the infra described above the requests will hit ID provider directly bypassing api gateway).

Which approach have you been using?

Thanks
Paulo.