Sudo for Git Requests and automatic User Creation

Hi all,
Thanks for being active here and helping out. I’m not sure if this is the correct channel here, though.

I’m using gitea as a backend-git-server. Users are managed by Keycloak. They will never see the Gitea UI, I only need its api and the git server capabilities.
I was able to connect gitea and keycloak via OIDC. However, every user needs to login via the Web UI once in order to exist in the Gitea DB.
Q1: How can I work around that? As far as I can tell, creating users via the API is not yet possible. I can only think of LDAP?

I managed to use the (great) sudo-Feature to make calls to the API as a user (user authorization is handled by my backend in advance). My backend is a git proxy, which routes Git traffic to a Service like GitHub for example or Gitea.
Q2: How do I authorize against the Git API? Using my Admin Token works, however the activities and permissions are wrong in that case. Activities are counted towards the Admin user, not the other one. Could you support the Sudo:username Header for Git requests, too?
A hacky workaround I found is creating a token for that user programatically via the API, however, I don’t really want to have to store that in my Backend. I’d prefer OIDC/OAuth2 for that, so I don’t need to store a token per user. I was able to create an OAuth2 Application, however, Users need to grant access there. So the next question is:

Q3: Can I grant access to an OAuth2 Application via the API? I can’t require users to visit the Web-UI (since it will not be accessible publicly) to grant access. I tried requesting https://gitea.redacted.com/login/oauth/authorize?... programatically, but that does not work since I can’t authenticate the user here. I just get redirected to the login page (which makes sense though).

Thanks for your responses in advance