There’s a pretty exhaustive README for that module, did you go through it? There’s also configuration guides to make it work with Google API and Keycloak.
I’m not sure what you mean by “middle layer” in this context. Keycloak is an authentication provider, if you decide to use OpenMRS with it, then OpenMRS must become a Keycloak client and should stop owning and performing the authentication process. ‘OAuth 2 Login’ turns OpenMRS into a client that authenticates with a provider over OAuth 2.
Yes, and there is no choice because OpenMRS does not fully support Spring Security.