Exposing Keycloak over multiple Frontend URLs

[Atul Bisaria]

Hi,

Keycloak introduced concept of "Frontend URL" to enable different URLs for front-channel and back-channel requests towards Keycloak.

We have a use case where same Keycloak server is exposed via 2 public URLs (over 2 separate VPNs which are not accessible to each other) via separate Nginx proxies in a Kubernetes cluster: 

domain1.company.com

domain2.company.com 

and an internal URL: 

internal.company.com

Problem is that we can set only one Frontend URL. For example, let's say we set it to domain1.company.com. Now when public clients access Keycloak via domain2.company.com using OIDC Discovery Endpoint, they get the authorization_endpoint as https://domain1.company.com/auth/realms/{realm-name}/protocol/openid-connect/auth which is not accessible due to inaccessible separate VPNs.

By allowing only one value of Frontend URL, Keycloak assumes that the server is accessible via only one public URL, which may not be the case as in our example.

Is there a solution available to this problem?

Best regards,

Atul Bisaria

[atul.b...@gmail.com]

Any suggestions on this will be greatly appreciated.

Is it possible to do some implementation of HostnameProvider Spi to resolve this problem?