Login action mail uses backend issuer URL

I’m trying to upgrade from Keycloak 15 (Wildfly) to Keycloak 18 (Quarkus). The upgade itself didn’t pose any issues but during testing I ran into the issue where when I’m sending a login action mail from keycloak it uses the internal admin url instead of the frontend URL.

My setup is reverse proxied through Nginx with x-forwarded-for and x-forwarded proto set.
For keycloak itself I’m using a docker-compose setup with an external postgresql database.

The admin portal for my keycloak is accessible at internal-url/auth and connects directly to the default master realm. There is another realm for the public endpoint where the frontend URL is set to publicurl/auth. I can login and go to my application through the publicurl/auth, but when triggering the login action from the internal url, the link in the mail always points to internal-url instead of the public endpoint. This setup was working fine in Keycloak15.

In my docker-compose I’m setting the following parameters:

  KC_HOSTNAME: publicurl
  KC_HTTP_RELATIVE_PATH: "/auth" 
  KC_HOSTNAME_STRICT_HTTPS: "false"
  KC_HOSTNAME_STRICT: "true"
  KC_PROXY: "edge"
  KC_SPI_HOSTNAME_DEFAULT_ADMIN: internal-url
  PROXY_ADDRESS_FORWARDING: "true"
  KEYCLOAK_FRONTEND_URL: https://publicurl/auth
  KC_HOSTNAME_STRICT_BACKCHANNEL: "false"

You need to set frontend url in realm settings in admin UI

Thanks for the reply.

Frontend url for master realm is set to the internal url and for the public realm to the public URL.

If I change the frontend url for the master realm to the public url, it’s of course accessible over the public URL which I want to avoid.