Remaining in the same domain

The title is probably misleading.

So far I’ve used Keycloak and its gatekeeper in the following way:
An Angular SPA that uses https://github.com/manfredsteyer/angular-oauth2-oidc
Keycloak is behind a nginx virtual host on a dedicated subdomain e.g. https://connect.domain.tld

Now I’ve changed the “Frontend URL” in “Realm Settings” by accident and that changed the issuer claim to that URL prefix, which lead to my configured gatekeeper to not accept the token because the issuer claim was mismatched.

And this lead me to this piece of documentation about the gatekeeper endpoints.

I wonder if it’s possible to remain in the same domain. Instead of configuring the SPA client to use https://connect.domain.tld/auth/realms/realmname,
it should use
https://actual-domain.tld/oauth/* or
https://actual-domain/auth/realms/realmname
since I can configure the “Frontend URL”.

I’d like it to appear to be in the same domain. Some user visits the site and is asked the create an account on a different domain than the site he visited. He might become suspicious and not create an account, after all he never heard of connect.domain.tld before, he visited actual-domain.tld.


And this is the additional part, edited in later.
So far I’ve created a single realm for EACH of the domains where I used keycloak for a project.
So each realm has its own userbase.
And I guess that’s where groups make sense, because right now I don’t see why there are roles that belong to a client and groups that are realm wide and I never saw the point in that.
But now I’m rethinking the whole thing.
What if I had only 1 realm, my company name.
Or maybe interest based realms, idk… gaming, b2b, social etc.
So users could just create an account once and then each new project could have its own client.

There’s so much documentation but actually using Keycloak properly and the practical application is not discussed anywhere.

Are you telling me that you all just use external domains in your projects?

Your question is not all that clear.
From what I understood you want to use 1 Keycloak installation for multiple domain names that have different purposes.
Like www.domain1.com and www.domain2.com where you create a realm for each of those domains.

If that’s the case than you can just use connect.domain1.com and connect.domain2.com.
You create a client for Angular in each of those realms and configure those for that domain app.
Your Angular app and configuration for the realm of your domain will point to the correct information as you define the realm and client there.

No, forget the lower part.

I have 1 domain and keycloak should appear as if it’s from the same domain.
Hence the title.
It should not use a different domain. It should not use a subdomain, just the domain.tld
The problem is probably gatekeeper.

I think I’ll try something and see how it work, I have an idea.