When accessing the protected resource which URL is rewritten in some way (rewrite rule or proxy or etc), Keyclloak auth redirect_uri parameter is always constructed from actual servlet request, i.e. what it resulted after rewriting.
Given , we have an webapp named 'foo'. And using url rewrite, it's path somehow rewritten to /bar.
If we accessing http://localhost/bar, actual Keyclloak login url will contain redirect_uri=http://localhost/foo, so after login you will be redirected back to /foo, and cookie with auth info will not be send and result is 400 code.
Attaching 2 simple tomcat web apps to reproduce the problem.
- ROOT.war is only contain rewrite rule (/api to /wsmaster/api).
- wsmaster.war is the app with test page requires authentication.
So when trying to access http://localhost:8080/wsmaster/api/index.jsp (not using rewrite) it works just fine.
When trying http://localhost:8080/api/index.jsp (with rewrite) it resulted in 400 page after authentication.