Our deployment environment has the possibility to be reached through multiple urls, and we are ensured that at least one is always resolvable.
One way to achieve this would be to set the common url as the KC_HOSTNAME and then set KC_HOSTNAME_STRICT=false so that any url would be valid, but any redirect / auto-configure would be provided with the common url.
Although looking at the KC_HOSTNAME_STRICT we can see that it should never be used in production, unless the proxy is validating the host.
We are trying to discover what would be the security implications of that configuration at Keycloak level, and then see what we can configure in the proxy between to validate the host (ex: configured “server” at nginx).
Is there any pointer to how this configuration can be abused? Or if anyone can explain it we would also greatly appreciate.
Thanks for any help in advance!