Hi, I'm trying to wrap Keycloak behind Nginx for a client and I can't work out how to

avoid the invalid parameter: redirect_uri problem.

Website is https://my-client.pibenchmark.com

In nginx:

location /auth {

    proxy_pass https://auth-service;

}

upstream auth-service {

    server my-keycloak:8443;

}

Then in Keycloak I have valid redirect URIs set to https://*.pibenchmark.com/* ie my whole domain. Still getting invalid parameter: redirect_uri though. 

What am I doing wrong? Can I do this this way? I like to have one point of contact with the internet for security reasons.