Keycloak on kubernetes: ingress vs internal service


We are currently setting up Keycloak on a kubernetes cluster as an openid provider.
However, we’re running into some issues regarding the external url of keycloak for authentication (through ingress) versus the internal url (service) of keycloak within the namespace.

We have one namespace that contains both our keycloak instance and our api gateway (tyk in this case).
In this namespace we also have a web app.
All of them are reachable using path based routing, so let’s say:
https://external-domain/auth is keycloak, https://external-domain/app is our webapp.

Authenticating against keycloak works perfectly, we can authenticate in the webapp and login. However, then the api gateway tries to validate the authenticated token against keycloak once the webapp tries to talk to the backend api’s behind the api gateway.

The problem here is that the validation URL is retrieved by tyk from the token and it points to the external keycloak url, through the ingress.
Obviously tyk can not reach this endpoint, since it’s in the same namespace and should validate against keycloak using the internal, service-based, URL. Therefore token validation fails and the user gets kicked out of the webapp again.

Anyone else in this situation? Any recommendations on how to handle this scenario? Is there a config possible in keycloak to handle something like this?

Thanks in advance for any feedback!

I am facing the same issue. Did you manage to fix it?

I wonder about the same thing, @hkdeman
We might want to mention @wodec by name to see if they get the message that way.

@wodec, did you figure out how to separate the URLs ?