we have a Vue app using a Spring Boot backend. There are multiple customers running their own instance of the webserver, and running their own keycloak instance.
I think, this is a not very secure way. Imagine, a hacker is able to send an manipulated URL to the client. Then our client accepts this manipulated URL, and the user maybe gets an manipulated version of an login page, stealing their credentials.
But what would be the correct way to tell the client the address of the KeyCloak server?