Adapters should allow configuring a separate URL used for back channel requests. This is useful when the client is located on the same network as the Keycloak server and wants to use an internal IP address for back channel requests.
Keycloak does not know it's public realm URL and as such will not know the correct URL if requests are sent to it using an internal URL. This causes a number of problems.
To resolve this issue we'd need to add support for a request URL to all server-side adapters (Java and Node.js currently). We also need to address how Keycloak would know its correct URL. This may be possible to address with Undertow filters to rewrite the Host header to map the internal URL to the public URL.