Keycloak - https proxy - tomcat - spring boot adapter-not working

Need you help,

We have angular web application with spring boot REST services deployed on tomcat, Using Keycloak for IAM
Apache web server setup for external application access .
Self signed certificate installed on apache for testing. (not production environment)
No https required between apache and keycloak. so proxy configured as ‘edge’ mode.

Facing 2 issues and need your help

Access to angular application with apache and user login with keycloak works fine. Access token generated and sent in header to back end services.
On accessing back end REST services , receiving auth error message :

**error="invalid_token", error_description="Invalid token issuer. Expected 'http://<servername>/realms/<realmname>', but was 'https://<servername>/realms/<realmname>**'"

Keycloak admin console access not required from external url. only internal access within server.

Not able to access admin console with URL http://localhost:9090/admin/master/console , white page with frequent screen refresh.
**Error : 404 not found for url : http://<Servername>/realms/master/protocol/openid-connect/3p-cookies/step1.html?version=w3fck**

Here is my environment setup

OS: Windows 
All applications setup on single server
	Version: 17.0.1
	run params:	kc.bat start --http-port=9090 --proxy=edge --hostname=<servername> 
        --hostname-strict-https=false     --http-enabled=true --auto-build
Apache 	Webserver (Apache Haus)
	Version: 2.4
<VirtualHost *:443>
  SSLEngine on
  ServerName <servername>:443
  ServerAlias <servername>
  SSLProtocol all
  SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key"
  SSLCertificateChainFile "${SRVROOT}/conf/ssl/server.crt"
	ProxyPreserveHost On	
    ProxyRequests Off
	RequestHeader add "X-Forwarded-For" "X-Forwarded-Server"
	RequestHeader set x-ssl-client-cert "${SRVROOT}/conf/ssl/server.crt"
	RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
	RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
	RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
	SSLProxyEngine On
	SSLProxyCheckPeerCN on
	SSLProxyCheckPeerExpire on
	RequestHeader set X-Forwarded-Proto "https"
	RequestHeader set X-Forwarded-Port "443"
	ProxyPass /realms/ http://localhost:9090/realms/
    ProxyPassReverse /realms/ http://localhost:9090/realms/
	ProxyPass /js/ http://localhost:9090/js/
    ProxyPassReverse /js/ http://localhost:9090/js/
	ProxyPass /resources/ http://localhost:9090/resources/
    ProxyPassReverse /resources/ http://localhost:9090/resources/
	ProxyPass /api http://localhost:8080/<SpringBootServices>
    ProxyPassReverse /api http://localhost:8080/<<SpringBootServices>
	ProxyPass /AngularWeb/ http://localhost:8080/AngularWeb/
    ProxyPassReverse /AngularWeb/ http://localhost:8080/AngularWeb/

Tomcat Server 
	Version: 9.0
        port: 8080
Backend Services with Spring Boot - keycloak-spring-security-adapter
	Version: 17.0.1
Angular- auth
	angular-auth-oidc-client- version 13.1.0

Your backend is set to use https://localhost:9090 as keycloak auth-server-url

It should be configured to the external url the browser will try to connect to. In you case, the URL exposed by the apache server.

IMHO, there is right now no way to tell the adapter to give clients (browsers) one URL and use another internal one for itself.

If you need such scenario (you shouldn’t), you’ll need to tell keycloak what URL it should expose (using the hostname-xxx options or change the realm’s frontend_url) and maybe configure your backend to find keycloak external hostname with an entry at /etc/hosts or in your dns server.

Thank you for the response,

apache URL is https , if we provide that URL in backend, we should configure keycloak adapater additional paramerers to communicate on https ?
truststore or client-keystore ? (Securing Applications and Services Guide)

You need a client keystore only if default java certificates are not enough (if you apache cert is self-signed or signed by an internal certificate authority. If it’s from a commercial authority you’re probably fine).

In other words, I’d try first without one and them add if necessary.

Thank you ,
Updated keycloak auth-server-url to apache external url.
now getting below error

java.lang.Exception: Method Not Allowed
at org.keycloak.adapters.KeycloakDeployment.getOidcConfiguration( ~[keycloak-adapter-core-16.1.1.jar:16.1.1]

if we set keycloak trust store configuration then receiving error PKIX path building failed: unable to find valid certification path to requested target
at java.base/ ~[na:na]

using self signed certificate on apache.

This should be truststore. client_store if for mutual tls authentication, if your keycloak server is configured to request it (not your case). Per de the docs:

The value is the file path to a truststore file. If you prefix the path with classpath:, then the truststore will be obtained from the deployment’s classpath instead. Used for outgoing HTTPS communications to the Keycloak server. Client making HTTPS requests need a way to verify the host of the server they are talking to. This is what the trustore does. The keystore contains one or more trusted host certificates or certificate authorities. You can create this truststore by extracting the public certificate of the Keycloak server’s SSL keystore. This is REQUIRED unless ssl-required is none or disable-trust-manager is true.

I’d first try to validate the ca files with a curl request, to make sure everything is all right in that regard:

$ openssl verify  ${SRVROOT}/conf/ssl/server.crt 
error 18 at 0 depth lookup:self signed certificate

Where ${SRVROOT} is the location apache uses. Ignore the error message. If it says OK at the end you are fine.

You can also post the full keycloak log here if you want (pastbin, maybe).

Thank you for the details,
certificate verification is Not OK. Same error 18

tried creating new certificate based on Creating a Self-Signed SSL Certificate | Heroku Dev Center
verification gives me same error.

If it says OK at the end, you can ignore the error.

Have you tried running with --log-level=debug and filter the output for truststore? That should show you which certificates have been loaded.