Secure login on third-party website with openid-connect

Hi! I have the following use case:

Starting point:
Keycloak instance up and running, working fine with openid-connect and my SPA.

Target goal:
Providing a form inside an iframe to third parties, which should use bearer token to post content to my service.

Problem statement:
I do not want the third party websites to have a) access to user credentials b) the bearer token.

First naive approach:
1.) On third party website, load form inside iframe.
2.) Open pop-up with keycloak login, provide redirect_url to some first-party page.
3.) On successful login, close pop-up and return bearer token to the iframe (window.opener) on the third party website.
4.) Use bearer token to post to my service.

Doubts:
a) The process would not allow for token refreshs.
b) Are iframes secure enough to shield the bearer token from access by the parent, third party website?
c) Exposing a redirect target which returns a bearer token to the (any) window.opener seems crazy.

Questions:
1.) What is the best-practice way to authenticate inside an iframe on a third-party website without exposing neither credentials nor tokens?
2.) Do i have some grave errors in my thought process?

Thank you for your input!

IDP login in the iframe looks very fishy. IMHO all good IDPs blocks that in the default configuration. Whole design seems to be non-standard. I would stick with standard approach instead of hacking standards, which may be unstable work around.

Yes, this is why i asked here^
Please excuse my ignorance, but what is IDP an acronym for?

And most important: What is the standard approach to enable a secure login (inside an iframe) on a third party website? I would gladly stick to standard approaches if i was aware of them.

IDP = Identity Provider (it can be a Keycloak). Standard is not using any iframe. Otherwise it seems to be a technique used by bad guys - clickjacking.

As far as the clickjacking goes, this is correct if the keycloak login is embedded in an iframe. Which i neither did nor asked about. The whole point of using a popup is to avoid the clickjacking.