I have a common problem with Keycloak token issuer verification, for which I am searching a solution for my use case. My setup is as follows: I use the jboss Keycloak docker image with docker compose with the container name "keycloak" on internal port 8080 and external port 8042. On the same docker network, I have a resource server, which is a Java Spring application with container name "api" on internal and external port 9111. On my host machine (localhost:8090), I now run a Spring MVC application where a user can login using Keycloak. Additionally, this application has credentials for a service account, which it uses to get an access token from the Keycloak instance to authenticate with the resource server with Bearer authentication.
The main problem is that the issuer field in the token is http://localhost:8042/auth/realms/test but the resource server expects it to be http://keycloak:8080/auth/realms/test.
I've found multiple related questions on StackOverflow, none of which had a solution which worked for me.
Setting KEYCLOAK_FRONTEND_URL (or KEYCLOAK_HOSTNAME), as suggested in 1 or 2 won't work when setting to keycloak, because, as one would expect, redirects for the user login will direct to keycloak as well, which isn't available from without the docker network (for the browser).
Also, setting the issuer for my resource server to localhost obviously won't work either, because keycloak is obviously not locally available inside the "api" container.
I've found this issue for Keycloak, which seems to address my problem, but I didn't find a workaround.
Is there anything I can do to work around my problem?
The only solution I found yet was to put "api" on the host network with network-mode "host". However this introduces a whole lot of other issues. For example, on MacOS I won't be able to connect to the resource server with the current networking implementation of Docker (while it seems to work on Linux).
