[keycloak-user] Keycloak running on different domain than application

[Jan Babel]

Hi guys
Sorry for long question. Maybe its silly but I have this problem. I
have JBOSS *application * deployed on *domain 1* and *Keycloak *on
*domain 2*.
Both domains are publicly accesible. During the redirection from application
to Keycloak, the redirect url consists from internal name of the domain 1.
Of course the flow works for me, because I have set proxy on my computer so
it can resolve the internal name and redirection happened and I am
succesfully logged in into the application. But that would not work for
customers while they have no proxy set up. The application (simple WAR) is
secured via JBOSS Keycloak Adapter.
The question is how to tell Keycloak Adapter to *resolve the external name
of the domain 1* (f.i. www.portal.com) and not internal name (lp01.tda)
during redirection?
What I tried:
* change etc/host to bind IP address to external name (works only on my
local machine)
* start JBOSS with application with -b parameter (works locally but not in
Red Hat Linux)
* put Apache Balancer between Application and Keycloak and do URL rewriting
rule (redirect URL is rewritten (lp01.tda replaced by www.portal.com) but
redirect back from Keycloak to Application failed saying incorrect
redirect_uri.. probably Keycloak Adapter check the state variable against
what comes back from Keycloak and realize the URL was changed)
I quess itc common scenario that Keycloak (we are using RH-SSO 7.2) resides
in different domain than applications it secures, but I cant figure it out
how to do that.
Many thanks in advance.