I’m trying to upgrade from Keycloak 15 (Wildfly) to Keycloak 18 (Quarkus). The upgade itself didn’t pose any issues but during testing I ran into the issue where when I’m sending a login action mail from keycloak it uses the internal admin url instead of the frontend URL.
My setup is reverse proxied through Nginx with x-forwarded-for and x-forwarded proto set.
For keycloak itself I’m using a docker-compose setup with an external postgresql database.
The admin portal for my keycloak is accessible at internal-url/auth and connects directly to the default master realm. There is another realm for the public endpoint where the frontend URL is set to publicurl/auth. I can login and go to my application through the publicurl/auth, but when triggering the login action from the internal url, the link in the mail always points to internal-url instead of the public endpoint. This setup was working fine in Keycloak15.
In my docker-compose I’m setting the following parameters:
KC_HOSTNAME: publicurl
KC_HTTP_RELATIVE_PATH: "/auth"
KC_HOSTNAME_STRICT_HTTPS: "false"
KC_HOSTNAME_STRICT: "true"
KC_PROXY: "edge"
KC_SPI_HOSTNAME_DEFAULT_ADMIN: internal-url
PROXY_ADDRESS_FORWARDING: "true"
KEYCLOAK_FRONTEND_URL: https://publicurl/auth
KC_HOSTNAME_STRICT_BACKCHANNEL: "false"