The title is probably misleading.
So far I’ve used Keycloak and its gatekeeper in the following way:
An Angular SPA that uses https://github.com/manfredsteyer/angular-oauth2-oidc
Keycloak is behind a nginx virtual host on a dedicated subdomain e.g. https://connect.domain.tld
Now I’ve changed the “Frontend URL” in “Realm Settings” by accident and that changed the issuer claim to that URL prefix, which lead to my configured gatekeeper to not accept the token because the issuer claim was mismatched.
And this lead me to this piece of documentation about the gatekeeper endpoints.
I wonder if it’s possible to remain in the same domain. Instead of configuring the SPA client to use https://connect.domain.tld/auth/realms/realmname,
it should use
https://actual-domain.tld/oauth/* or
https://actual-domain/auth/realms/realmname
since I can configure the “Frontend URL”.
I’d like it to appear to be in the same domain. Some user visits the site and is asked the create an account on a different domain than the site he visited. He might become suspicious and not create an account, after all he never heard of connect.domain.tld before, he visited actual-domain.tld.
And this is the additional part, edited in later.
So far I’ve created a single realm for EACH of the domains where I used keycloak for a project.
So each realm has its own userbase.
And I guess that’s where groups make sense, because right now I don’t see why there are roles that belong to a client and groups that are realm wide and I never saw the point in that.
But now I’m rethinking the whole thing.
What if I had only 1 realm, my company name.
Or maybe interest based realms, idk… gaming, b2b, social etc.
So users could just create an account once and then each new project could have its own client.
There’s so much documentation but actually using Keycloak properly and the practical application is not discussed anywhere.