[keycloak-user] Keycloak running on different domain than application

Dmitry Telegin dt at acutus.pro
Mon Aug 6 06:09:55 EDT 2018 

Hi Jan,

Having Keycloak and secured apps on different domains is a pretty common situation.

1. Are you using OpenID Connect or SAML?
2. Could you please share your adapter config? (scrubbing sensitive info, if any)
3. Is your domain 1 application accessible from the extranet? Could you give an URL? (you can respond with a private mail if you don't want to expose it)

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-08-02 at 10:48 +0200, Jan Babel wrote:
> Hi guys
> Sorry for long question. Maybe its silly but I have this problem. I
> have JBOSS *application * deployed on *domain 1* and *Keycloak *on
> *domain 2*.
> Both domains are publicly accesible. During the redirection from application
> to Keycloak, the redirect url consists from internal name of the domain 1.
> Of course the flow works for me, because I have set proxy on my computer so
> it can resolve the internal name and redirection happened and I am
> succesfully logged in into the application. But that would not work for
> customers while they have no proxy set up. The application (simple WAR) is
> secured via JBOSS Keycloak Adapter.
> The question is how to tell Keycloak Adapter to *resolve the external name
> > of the domain 1* (f.i. www.portal.com) and not internal name (lp01.tda)
> during redirection?
> What I tried:
> * change etc/host to bind IP address to external name (works only on my
> local machine)
> * start JBOSS with application with -b parameter (works locally but not in
> Red Hat Linux)
> * put Apache Balancer between Application and Keycloak and do URL rewriting
> > rule (redirect URL is rewritten (lp01.tda replaced by www.portal.com) but
> redirect back from Keycloak to Application failed saying incorrect
> redirect_uri.. probably Keycloak Adapter check the state variable against
> what comes back from Keycloak and realize the URL was changed)
> I quess itc common scenario that Keycloak (we are using RH-SSO 7.2) resides
> in different domain than applications it secures, but I cant figure it out
> how to do that.
> Many thanks in advance.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list