Keycloak introduced the concept of "Frontend URL" to enable different URLs for front-channel and back-channel requests towards Keycloak.
We have a use case where same Keycloak server is exposed via 2 public URLs (over 2 separate VPNs which are not accessible to each other) via separate Nginx proxies in a Kubernetes cluster:
domain1.company.com
domain2.company.com
and an internal URL:
internal.company.com
Problem is that we can set only one Frontend URL. For example, let's say we set it to domain1.company.com. Now when public clients access Keycloak via domain2.company.com using OIDC Discovery Endpoint, they get the authorization_endpoint as https://domain1.company.com/auth/realms/{realm-name}/protocol/OpenID-connect/auth which is not accessible due to separate VPNs.
By allowing only one value of Frontend URL, Keycloak assumes that the server is accessible via only one public URL, which may not be the case as in our example.
Is there a solution available to this problem?
