I am configuring keycloak-gatekeeper to work with existing Keycloak server. Keycloak server is on the internal network and accessible from gatekeeper using an internal domain name and from outside using an external domain name (for end user auth).
The issue I am having is that when gatekeeper does the discovery using .well-known/openid-configuration endpoint, this request arrives via the internal network URL and keycloak responds with an authorization_endpoint URL with internal domain. Gatekeeper then redirect clients to this internal URL which they cannot access due to being on the external network.
Is there a solution to resolve this problem without resorting less desirable workarounds such as meddling with DNS queries, creating host entries etc ?
1 - Is there a way to configure Keycloak server to return the external URL for authorization_endpoint regardless which URL used for discovery ?
2 - Or is there a way to overwrite authorization_endpoint on Keycloak Gatekeeper ?
Tried to set Base URL on both sides, neither helped.
