I have looked through the code and all I can say is that the recipe I followed is quite complicated and very difficult to explain in simple terms.
However,
the primary principles remain the same and are used to drive everything else:
1.
Use PROXY_ADDRESS_FORWARDING=true
and
KEYCLOAK_FRONTEND_URL=, the one used by public apps to reference Keycloak instance.
Put a proxy in front of your Keycloak instance and
rewrite X-Forwarded-Proto to your public Keycloak URL scheme (http or https)
rewrite X-Forwarded-Host to :
Optionally, use separate Keycloak “resource” for public and private Keycloak access.
Applications use the confidential resource while public clients the public resource.
Make sure you assign to Keycloak clients the correct flows and configurations.
e.g. “Client Protocol”, “Access Type”, “Standard Flow Enabled”, “Direct Access Grants Enabled”, “Valid Redirect URIs”, “Web Origins”
If in doubt read very carefully the documentation, it is a tough read but trust me it will help you derive a full understanding and figure out the details you are possibly be missing.
I am sorry, I cannot make this any simpler.