Hello,
I have a Keycloak instance that I use to authenticate different applications under the same domain. This works fine.
Now I want to secure a new application under a different domain, and I’m running into a problem in the browser OIDC flow where the state cookie is not found, with the message [org.wildfly.security.http.oidc] No state cookie.
I access the protected resource at https://example.com/app.
It redirects me to https://mykeycloak.com/realms/example/… for login.
Keycloak generates the state cookie with Domain=mykeycloak.com.
After login, the browser redirects me back to https://example.com/app, but the cookie is not sent (AFAIK its because it belongs to mykeycloak.com).
As a result, the client reports “no state cookie.”
to protect the app i use oidc.json, the provider-url is set to https://mykeycloak.com/realms/example/.
This works if the application is under the same domain as Keycloak, but not when the app is on a different domain.
Im considering configuring NGINX reverse proxies so that for each application domain I have:
server {
server_name example.com;
location /realms/ {
proxy_pass http://mykeycloak-internal:8080/realms/;
}
}
That way, applications would always talk to Keycloak under their own domain (https://example.com/realms/…), and I would adjust the provider-url in each app accordingly.
Questions
If I do this, will the .well-known/openid-configuration still return the issuer as mykeycloak.com?
Is it possible to configure Keycloak so that the issuer matches the proxied domain (example.com) dynamically?
Thanks!