Unable to use flask-oidc with Keycloak public client for API calls

Question

I am trying to connect a Flask application with a Keycloak public that uses both types of endpoint decorators: @oidc.require_login and @oidc.accept_token. However I have ran into the following issue.

For a Keycloak confidential client I can access all endpoints in the Flask application. This is my app config:

flask_app.config.update({
    'SECRET_KEY': 'no-body-knows',
    'TESTING': True,
    'DEBUG': True,
    'OIDC_CLIENT_SECRETS': 'client_secrets.json',
    'OIDC_OPENID_REALM': 'testrealm',
    'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post',
    'OIDC_SCOPES': ['openid', 'email', 'profile'],
    'OIDC_COOKIE_SECURE':True,
    'OIDC_CALLBACK_ROUTE':'/oidc_callback',
    'OIDC_TOKEN_TYPE_HINT': 'access_token',
    'OIDC_RESOURCE_SERVER_ONLY':False
})

and the contents of my (sanitized) clients_secrets.json

{
    "web": {
        "client_id": "confidential-client",
        "client_secret": "axxxxxxx-1xxx-5xxx-exxxx-2xxxxxxx",
        "auth_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/auth", 
        "token_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/token",
        "issuer": "https://my-keycloak-url.com/auth/realms/testrealm",
        "userinfo_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/userinfo",
        "token_introspection_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/token/introspect",        
        "redirect_uris": [
            "http://localhost:5000/oidc_callback"
        ],
        "bearer_only
": "true"
    } 
}

For the case of a public Keycloak client, I modified my client_secrets.json as follows (just set the client_secret to an empty string:

{
    "web": {
        "client_id": "public-client",
        **"client_secret": "",**
        "auth_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/auth", 
        "token_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/token",
        "issuer": "https://my-keycloak-url.com/auth/realms/testrealm",
        "userinfo_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/userinfo",
        "token_introspection_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/token/introspect",        
        "redirect_uris": [
            "http://localhost:5000/oidc_callback"
        ],
        "bearer_only": "true"
    } 
}

However, when I deploy this Flask under a public Keycloak client, I can still access the @oidc.require_login endpoints, but the @oidc.accept_token API endpoints return this error:

{"error": "invalid_token", "error_description": "Token required but invalid"}. 

The use of a Keycloak public client is a requirement of the microservice environment where this Flask app will live. I don't control this requirement, and the other microservices (written in Java, Angular, etc.) have no issues with this Keycloak confguration.

Is there a way to use a Keycloak public client with flask-oidc endpoints using the @oidc.accept_token decorator? It seems to me this is a common OIDC scenario.

I am running this on Python 3.8.6 with Flask 1.0.2 flask-oidc 1.4.0