Keycloak 23.0.1: I have a single client, which is used for both browser and CLI access. I have two RedirectUris set: for the browser, this is https://example.com/oauth2callback, and for the CLI this is http://127.0.0.1.
This works fine when a user logs in via a browser. However, when I test command-line access (a git operation using GCM or git-credential-oauth) the RedirectUri returned by Keycloak is the browser version, and not the localhost version.
When Keycloak gets the git request it returns a 302, with this invalid redirect:
https://example.com/keycloak/realms/vserver/protocol/openid-connect/auth?response_type=code&scope=openid%20email&client_id=openid-connect&state=...&redirect_uri=https%3A%2F%2Fexample.com%2Foauth2callback&nonce=...
I’ve obviously set this up incorrectly somehow, but I have no idea how. How does Keycloak decide which RedirectUri to use? Is this scope-related? I don’t have any user-defined scopes. My first thought was that I should set up two different clients, but I think this is the wrong answer (my front-end is Apache mod_auth_openidc, which can’t support two different clients at the same provider). Thanks.