The latest keycloak image (23.x) has introduced a breaking change which needs to be fixed before upgrading; please run the following whilst the old container is still running, replacing or-postgresql-1 with whatever name you have assigned to your postgresql container:
docker exec or-postgresql-1 psql -U postgres -d openremote -c "INSERT INTO public.client (id, client_id, not_before, realm_id) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', 'account-console', 0, (select id from public.realm where name = 'master')) ON CONFLICT DO NOTHING;
UPDATE public.client set base_url='/realms/master/account/', enabled=true, public_client=true, secret=null, protocol='openid-connect', frontchannel_logout=false, name='\${client_account-console}', client_authenticator_type='client-secret', root_url='\${authBaseUrl}' where id = '2347d8eb-f91a-48b1-98aa-0e631ea0f640';
INSERT INTO public.redirect_uris (client_id, value) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', '/realms/master/account/*') ON CONFLICT DO NOTHING;
INSERT INTO public.client_attributes (client_id, name, value) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', 'pkce.code.challenge.method', 'S256') ON CONFLICT DO NOTHING;
INSERT INTO public.client_attributes (client_id, name, value) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', 'post.logout.redirect.uris', '+') ON CONFLICT DO NOTHING;
INSERT INTO public.client_scope_client (client_id, scope_id, default_scope) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT id from public.client_scope where name = 'acr' limit 1), true) ON CONFLICT DO NOTHING;
INSERT INTO public.client_scope_client (client_id, scope_id, default_scope) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT id from public.client_scope where name = 'phone' limit 1), false) ON CONFLICT DO NOTHING;
INSERT INTO public.client_scope_client (client_id, scope_id, default_scope) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT id from public.client_scope where name = 'address' limit 1), false) ON CONFLICT DO NOTHING;
INSERT INTO public.client_scope_client (client_id, scope_id, default_scope) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT id from public.client_scope where name = 'microprofile-jwt' limit 1), false) ON CONFLICT DO NOTHING;
INSERT INTO public.client_scope_client (client_id, scope_id, default_scope) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT id from public.client_scope where name = 'offline_access' limit 1), false) ON CONFLICT DO NOTHING;
INSERT INTO public.client_scope_client (client_id, scope_id, default_scope) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT id from public.client_scope where name = 'email' limit 1), true) ON CONFLICT DO NOTHING;
INSERT INTO public.client_scope_client (client_id, scope_id, default_scope) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT id from public.client_scope where name = 'roles' limit 1), true) ON CONFLICT DO NOTHING;
INSERT INTO public.client_scope_client (client_id, scope_id, default_scope) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT id from public.client_scope where name = 'web-origins' limit 1), true) ON CONFLICT DO NOTHING;
INSERT INTO public.client_scope_client (client_id, scope_id, default_scope) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT id from public.client_scope where name = 'profile' limit 1), true) ON CONFLICT DO NOTHING;
INSERT INTO public.protocol_mapper (id, name, protocol, protocol_mapper_name, client_id, client_scope_id) VALUES ('d4e959a8-56a7-4e70-afde-36ac315c228c', 'audience resolve', 'openid-connect', 'oidc-audience-resolve-mapper', '2347d8eb-f91a-48b1-98aa-0e631ea0f640', null) ON CONFLICT DO NOTHING;
INSERT INTO public.scope_mapping (client_id, role_id) VALUES ('2347d8eb-f91a-48b1-98aa-0e631ea0f640', (SELECT kr.id from public.keycloak_role kr inner join public.realm r on r.id = kr.realm_id where kr.name = 'manage-account' and r.name = 'master')) ON CONFLICT DO NOTHING;"
After this you can start using the 23.x image(s) but note any theme customisations should be checked for breaking changes also.