We have a customer with a public network – let’s say company.com
They have an LB that redirects calls to our platform to an internal network, let’s call it internal.com
We are using KeyCloak’s login/forgot-password/… etc pages so the first call is to our main app this in turn redirects to KeyCloak for login, after the login the app calls an internal micro-service that is now trying to verify the JWT token with KeyCloak
But since it is on the internal network it uses the ISS in the JWT token which is https://keycloak.company.com and not https://keycloak.internal.com
If we try to fool it and setup the coredns inside K8s to redirect calls from https://keycloak.company.com to https://keycloak.internal.com it doesn’t work as we don’t have the SSL certificate of company.com but only internal.com
(The internal network doesn’t have access or knows the public network)