Different public and internal auth URI

[demkom58]

Not sure if it is right place to ask, but...

I am currently working on implementing the Backend for Frontend (BFF) pattern as described in your article on Baeldung. I have a specific scenario where I am using Docker’s DNS for internal communication. Here is how the URI to auth in my application.yml looks:

  security:
    oauth2:
      client:
        provider:
          myproject:
            issuer-uri: http://auth:8998/realms/myproject
            user-name-attribute: preferred_username
        registration:
          myproject:
            provider: myproject
            authorization-grant-type: authorization_code
            client-id: myproject-spa
            client-secret: ---actually-secret---
            scope: openid, profile, email, roles, offline_access

com:
  c4-soft:
    springaddons:
      oidc:
        ops:
          - iss: http://auth:8998/realms/myproject
            authorities:
              - path: $.realm_access.roles
            aud: ""
...

In this setup, the client attempts to login using the http://auth:8998/realms/myproject URL, which is not publicly available. Instead, the client should use http://localhost/auth/realms/myproject. I find using Docker DNS for local development very convenient, so I was wondering if there is a way to accommodate this setup.

[ch4mpy]

You might add your dev machine hostname (the output of the hostname command in git-bash) to the extra_hosts in your docker-compose file(s) and use that for the URIs in your conf. Like that, this hostname will be known by both docker containers and the browser you run your frontend into.

Remember to update Keycloak configuration to use this hostname in KC_HOSTNAME_URL and KC_HOSTNAME_ADMIN_URL.