We believe that the problem is related to the address the users is using being different from the actual address the server is on. And this makes even more sense when we take into account that it was working fine before the addition of the WAG.
1- WAG is just a proxy, there is no authentication;
2- The whole authorization phase works, but then when the callback is called, and the App tries to validate the access, it throws the error (as we could see on fiddler, there is no cookies on this request, which we think is causing the problem);
3- Auth is using keycloak, based on this library: GitHub - elmankross/Jboss.AspNetCore.Authentication.Keycloak
It doesn’t look like a problem of the Keycloak, but it seems to be a problem of used library. I don’t think that app is validating the access. It is failing on the callback URL - that’s URL where app should get code and exchange it for the token (only token is used for authentication/authorization). You still didn’t disclose used OIDC flow, used library configuration (I would really would like to see that “magic”: Authentication with autosetup through keycloak.json file. All examples in the repo are for bearer-only, are you sure that’s library support web apps and not API only?).
Pardon me a stupid question: does your app has network access to the Keycloak server via URL which was used for the user auth in the browser?