There used to be another property auth-server-url-for-backend-requests
but was removed by pull request #2506 as a solution to issue #2623 on Keycloak’s JIRA. In the description of this issue, you’ll find the reasons why and possible workarounds: that should be solved at the DNS level or by adding entries to the host file.
So there is not much you can do in the client configuration, unless you change the code and make your own version of the adapter, but there is something you can do at the Docker level. For this to work properly, first I suggest you use a fully qualified domain name instead of localhost
for the public hostname, as you would in production anyway, eg. keycloak.mydomain.com
. You can use a fake one (not registered in DNS servers) if you just add it to the host’s /etc/hosts
file (or Windows equivalent) as an alias next to localhost
.
Then, if you are using Docker Compose, you can set aliases (alternative hostnames) for the keycloak service on the docker network to which the containers are connected (see doc: Compose File reference / Service configuration reference / networks / aliases). For example:
version: "3.7"
services:
keycloak:
image: jboss/keycloak
networks:
# Replace 'mynet' with whatever user-defined network you are using or want to use
mynet:
aliases:
- keycloak.mydomain.com
webapp:
image: "nginx:alpine"
networks:
- mynet
networks:
mynet:
If you are just using plain Docker, you can do the equivalent with --alias
flag of docker network connect
command (see doc: Container networking / IP address and hostname).