Hi everyone, I'm currently using Keycloak to authenticate a bunch of applications in a private network. I'm using the Javascript, node.js, spring security and spring boot adapters, Some using bearer token and some not. Everything works nicely except that our support engineers need to connect sometimes over a NAT gateway. The problem is that the IP/URL used by the support engineers is different than the one seen by the internal network users. So I get error validating the jwt issuer, specially when using bearer token that are generated by external users and pass back to internal services. I've seen that there use to be the `*auth-server-url-for-backend-requests*` property just for this use case but it was removed. I've also seen many questions online about this matter but no solution apart from using a DNS which is not an option for me because of certain restrictions I have. Finally, I've recently seen someone with the same problem proposing setting checkRealmUrl to false to skip the issuer validator (http://lists.jboss. org/pipermail/keycloak-user/2017-May/010640.html). Is that possible??? I haven't found how without modifying the adapter's code. Is there any other workaround? Solutions I could think are: - Include a config option to make issuer validation optional (setting checkRealmUrl to false) - Modify the `*auth-server-url*` to allow partial URLs that are resolved based on the calling host. - Modify the `*auth-server-url*`, to be a list so several URLs are accepted or to allow regexs so all the URLs that match are accepted. This probably requires separating the valid URLs from the URL use for redirections. This is a deciding factor of whether we can use Keycloak or not, and I'm sure that other people is having the same problem. So if there is no existing workaround, I 'm happy to discuss and contribute any changes to the adapters that could help me with this. -- *Juanjo Díaz* Software Architect @Intopalo Oy <https://intopalo.com>