Can keycloak return static backchannel and dynamic frontchannel endpoints via the OpenID Connect Discovery Document?

Question

I have a multi-tenancy application where tenants access their respective apps on separate subdomains, e.g. client1.app.test and client2.app.test.

I have an authentication backend server that orchestrates the OIDC flow and handles the sessions and keycloak as my identity provider. Both are accessible through reverse proxies under the clients' domains.

I am using one realm for all tenants.

I want all frontchannel communication to go through the respective public domains and all backchannel communication between the auth backend and keycloak to go through the same internal address. In my auth backend I use the node openid-client which I configure via Keycloak's OIDC Discovery Document endpoint.

So when calling https://client1.app.test/auth/realms/master/.well-known/openid-configuration I expect keycloak to return

{
  "issuer": "https://client1.app.test/auth/realms/master",
  "authorization_endpoint": "https://client1.app.test/auth/realms/master/protocol/openid-connect/auth",
  "token_endpoint": "http://keycloak:8180/auth/realms/master/protocol/openid-connect/token",
  "introspection_endpoint": "http://keycloak:8180/auth/realms/master/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "http://keycloak:8180/auth/realms/master/protocol/openid-connect/userinfo",
  "end_session_endpoint": "https://client1.app.test/auth/realms/master/protocol/openid-connect/logout"
}

but instead it returns

{
  "issuer": "https://client1.app.test/auth/realms/master",
  "authorization_endpoint": "https://client1.app.test/auth/realms/master/protocol/openid-connect/auth",
  "token_endpoint": "https://client1.app.test/auth/realms/master/protocol/openid-connect/token",
  "introspection_endpoint": "https://client1.app.test/auth/realms/master/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "https://client1.app.test/auth/realms/master/protocol/openid-connect/userinfo",
  "end_session_endpoint": "https://client1.app.test/auth/realms/master/protocol/openid-connect/logout"
}

I read the Using a reverse proxy and Configuring the hostname docs. I can only change the hostname. There seems to be no setting to configure a static host for backchannel endpoints.

Can keycloak return static backchannel and dynamic frontchannel endpoints via the OpenID Connect Discovery Document?

On a second thought the OIDC disocvery endpoint is a public facing endpoint. It seems strange that it should return internal addresses... maybe there is another way apart from setting all backchannel endpoints manually?

so i think this is a duplicate of [keycloak-and-spring-boot-web-app-in-dockerized-environment](https://stackoverflow.com/questions/57213611/keycloak-and-spring-boot-web-app-in-dockerized-environment) and [keycloak-and-spring-boot-web-app-in-dockerized-environment](https://stackoverflow.com/questions/57213611/keycloak-and-spring-boot-web-app-in-dockerized-environment). in short: it's not possible — tom, Nov 10 '22 at 14:44

Can keycloak return static backchannel and dynamic frontchannel endpoints via the OpenID Connect Discovery Document?

0 Answers0