We are implementing Authentication using keycloak. Specifically for forgot password option: When user clicks on Forgot password option, and provides user name, an email will be sent to their id with the link to reset password.

My Question is specifically on the link: The link sent out in email looks like below: https://:/auth/realms//login-actions/reset-credentials?code= But the mentioned is really an internal physical host name that can be found in /etc/hosts, but it is not accessible to external users, so we need to replace this host:port number.

The code in .ftl file looks like below under themes/base/email/html/password-reset.ftl: ${msg("passwordResetBodyHtml",link, linkExpiration, realmName)} While figured out from admin console on where the values for linkExpiration and realmName (They are under Realm Settings in admin console), I am unable to find out how and where the "link" is configured. Can someone please help with this?

I looked up other threads and did some findings, and found this link:(Keycloak - URL Reset Password email behind a proxy, but it really talks about NginX proxy, which we haven't configured.

Got this resolved after multiple discussion with Redhat team. Below are the steps followed

1. We were using RH SSO 7.0.x: Added proxy-address-forwarding=true as below.

The server didn't start because this tag is not available in Keycloak 7.0.x. as confirmed by Redhat.

2. Did upgrade to RH SSO 7.2.0 and the same flag addition worked. Forgot password email content has the https:///auth/realms/archcap-au/login-actions/action-token?key=

Before change:

    header=x-forwarded-host= <External Host>
    header=Host= <Internal host:8443>

After Change:

    header=x-forwarded-host= <External Host>
    header=Host= <External Host>

the tag would retain the forwarded host header.