My issue has been resolved. it was because of incorrect base64 encoded client id.
❯ echo "tyk-test" | base64
dHlrLXRlc3QK // doesn't work with tyk because it has newline https://stackoverflow.com/a/46171699/2073920
❯ echo -n "tyk-test" | base64
dHlrLXRlc3Q= // works with tyk
Another working example of keycloak oidc with tyk-oss is GitHub - CanDIG/tyk-kc-demo: A toy demo showing how to use Tyk to protect an API, denying access to it without an OIDC token from a Keycloak instance, and enforcing rate limiting