Keycloak behind termination proxy in container - wrong expected audiences

Hi, I have a containerized config with nginx keycloak and ontoserver used to test smart backend authentication.

On the token request call, I got error response:

Unable to obtain an access token:
invalid_client Client authentication with signed JWT failed: Token audience doesn't match domain.
Expected audiences are any of [
    http://onto.local/realms/ontoserver,
    http://onto.local/realms/ontoserver/protocol/openid-connect/token,
    http://onto.local/realms/ontoserver/protocol/openid-connect/token/introspect,
    http://onto.local/realms/ontoserver/protocol/openid-connect/ext/par/request,
    http://onto.local/realms/ontoserver/protocol/openid-connect/ext/ciba/auth]
but audience from token is
   '[https://onto.local/realms/ontoserver/protocol/openid-connect/token]'

How can I configure keycloak (nginx?) to have the https schema endponts included in the accepted audiences?

If no other way, how can I add them manually in the keycloak client configuration?

Thanks in advance
/Juan

docker config:

version: "3"

volumes:
  postgres_data:
    driver: local
services:
#  db:
#    image: postgres-ontoserver
#    container_name: onto-db
#    build:
#      context: ./postgres
#    volumes:
#      - pgdata:/var/lib/postgresql/data
#    environment:
#      - POSTGRES_HOST_AUTH_METHOD=trust
  db:
    container_name: onto-db
    image: postgres:15
    environment:
      - POSTGRES_HOST_AUTH_METHOD=trust
    volumes:
      - postgres_data:/var/lib/postgresql/data
  ontoserver:
#    image: quay.io/aehrc/ontoserver:latest
    image: quay.io/aehrc/ontoserver:ctsa-6.19.2
    container_name: onto-onto
    depends_on:
      - db
    environment:
      # TLS is handled by nginx
      - ONTOSERVER_INSECURE=true
      # what is the FHIR base url of your Ontoserver? Used to generate links and is featured in the conformance statement
      - conformance.fhir.base=https://onto.local/fhir # <== CHANGE THIS SETTING
      # enables the OAuth sub-system, required
      - ontoserver.security.enabled=true
      # is read-only access to FHIR allowed? if false, only /fhir/metadata is allowed without authentication
      - ontoserver.security.readOnly.fhir=false # change?
      - ontoserver.security.readOnly.api=false # change?
      - ontoserver.security.readOnly.synd=false # change?
      # can also be Basic, but the documentation does not state how Basic credentials are verified
      - conformance.security.kinds=SMART-on-FHIR
      # this is the text that displays in the conformance statement
      - conformance.security.description=This server uses OpenID Connect to
        authorize requests. Read-Only FHIR requests are NOT allowed.
      # this is featured in the machine-readable ConformanceStatement and should point to the "authorize" url of your keycloak installation
      - conformance.security.authorize=https://onto.local/realms/ontoserver/protocol/openid-connect/auth
      # dito, point to your token endpoit
      - conformance.security.token=https://onto.local/realms/ontoserver/protocol/openid-connect/token # <== CHANGE THIS SETTING
        # keycloak does not really support symmetric signing keys for JWTs using HS256 (rather, the key can not be extracted),
        # so that RS256 asymmetric crypto is used for key signing. The public key for RS256 can be obtained in the 'Realm Settings'
        # section for the chosen Realm, and then go to "Keys" and copy the Public Key via the button in the RS256 row.
        # Replace the public key in the line below, keeping the markers intact (with 5 leading and trailing dashes!).
      - ontoserver.security.token.secret=-----BEGIN PUBLIC KEY-----
        MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolXTFhA8IcYz7vq3gxzem88DUQK3q7rdOtHPJCpC7BRwV4qsOvDdR74D76mb2OceApbAtTAja18ajitvNJ0M31AEG5eD8RGhdwnHgxksLFeoEkY9tCPSCYu1O2EH2FnDSYj/3a2nR6rqanDpzpNJqgn3yX9mL1LQp7fzxD5SsIR3EHBdffSI69dq0tPQ1Cjy7NgQFDThTZcvIxlga3mCJUPsYjoRFdVL84sjgAkSrnQbd8XZaeXJdfckfeT50TpvLm9wMQbha0STfKAxA577FXQq5CSzEoSL0CjB8/bKj1UPbQRgAB5BfZ/DidRSpQOFPST7kMRTBL0uDWNV8gIFnQIDAQAB
        -----END PUBLIC KEY----- # CHANGE THIS SETTING
      - JAVA_OPTS=-Xmx2G # 2G mimimum, 8G optimum
  keycloak:
    image: ontoserver-keycloak
    container_name: onto-keycloak
    depends_on:
      - db
    build:
      context: ./keycloak
    ports:
      - "8080:8080"
    environment:
#      - KEYCLOAK_USER_FILE=/opt/secrets/username.secret #<== CREATE THIS FILE
#      - KEYCLOAK_PASSWORD_FILE=/opt/secrets/password.secret #<== CREATE THIS FILE
#      - DB_VENDOR=postgres
#      - DB_ADDR=db
#      - DB_DATABASE=keycloak-orig
#      -
#      - KC_LOG_LEVEL=DEBUG
#      -
      - KEYCLOAK_FRONTEND_URL=https://onto.local/realms/ontoserver
#      -
#      - KC_DB=postgres
#      - KC_DB_USERNAME=cdr
#      - KC_DB_PASSWORD=smile
#      - KC_DB_URL=jdbc:postgresql://host.docker.internal/kc-tls
      - KC_HOSTNAME=onto.local
#      - DB_VENDOR=postgres
#      - DB_ADDR=jdbc:postgresql://db:5432/keycloak
#      - DB_DATABASE=kc-tls
#      -
      - KC_HTTP-ENABLED=true
#      -
#      - KEYCLOAK_ADMIN=admin
#      - KEYCLOAK_ADMIN_PASSWORD=admin
      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
      - KC_BOOTSTRAP_ADMIN_PASSWORD=admin
#      -
      - PROXY_ADDRESS_FORWARDING=true # essential for operating behind proxy!
      - KC_PROXY=edge
    command:
      - start-dev
#      - --import-realm
#      - --optimized
  nginx:
    image: ontoserver-nginx
    container_name: onto-nginx
#    command: [nginx-debug, '-g', 'daemon off;']
    command:
      - nginx
    build:
      context: ./nginx
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - ontoserver
      - keycloak

nginx config:

events { worker_connections 1024; }

error_log  stderr debug;

http {

  server {  
    listen 80;
    listen [::]:80;
    server_name onto.local;

    access_log  /dev/stdout;
    
    client_max_body_size 600M;

    include ssl.conf;

    # enforce HSTS, this may make debugging harder and is not active during testing!
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # resolve relative file names (index.html) from this dir
    root /usr/share/nginx/html;
    # handle index.html, bypassing Ontoserver
    location /index.html {
      try_files index.html =404;
      # if the file is missing, serve a 404.
    }

    # pass keycloak to keycloak container
    location /keycloak/ {
      proxy_pass          http://keycloak:8080/;
      proxy_set_header    Host               $host;
      proxy_set_header    X-Real-IP          $remote_addr;
      proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
      proxy_set_header    X-Forwarded-Host   $host;
      proxy_set_header    X-Forwarded-Server $host;
      proxy_set_header    X-Forwarded-Port   $server_port;
      proxy_set_header    X-Forwarded-Proto  $scheme;
    }

    # redirect auth separately (http://<server>/keycloak will redirect to /realms)
    location /realms/ {
      proxy_pass          http://keycloak:8080/;
      proxy_set_header    Host               $host;
      proxy_set_header    X-Real-IP          $remote_addr;
      proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
      proxy_set_header    X-Forwarded-Host   $host;
      proxy_set_header    X-Forwarded-Server $host;
      proxy_set_header    X-Forwarded-Port   $server_port;
      proxy_set_header    X-Forwarded-Proto  $scheme;
    }

    # everything else (notably: /fhir/, /css/ and /js/) will be handled by ontoserver
    location / {
      proxy_http_version    1.1;
      proxy_pass            http://ontoserver:8080/;
      proxy_set_header      Host $host;
      proxy_read_timeout    300s;
      include cors_support; 
    }
  }
}