How does Keycloak decide which RedirectUri to use?

Keycloak 23.0.1: I have a single client, which is used for both browser and CLI access. I have two RedirectUris set: for the browser, this is, and for the CLI this is

This works fine when a user logs in via a browser. However, when I test command-line access (a git operation using GCM or git-credential-oauth) the RedirectUri returned by Keycloak is the browser version, and not the localhost version.

When Keycloak gets the git request it returns a 302, with this invalid redirect:

I’ve obviously set this up incorrectly somehow, but I have no idea how. How does Keycloak decide which RedirectUri to use? Is this scope-related? I don’t have any user-defined scopes. My first thought was that I should set up two different clients, but I think this is the wrong answer (my front-end is Apache mod_auth_openidc, which can’t support two different clients at the same provider). Thanks.