Adapters should support using different URLs for frontend and backend requests.
When clients are located on the same network as the Keycloak server can communicate directly with Keycloak using an internal domain name or IP address.
With the introduction of a new default hostname provider Keycloak now has support to have different URLs configured for frontend requests and backchannel requests. See https://issues.jboss.org/browse/KEYCLOAK-11728 for more details.
By making the adapters load issuer and endpoints dynamically using the OpenID Connect Discovery endpoint from the Keycloak server instead of hard-coding the endpoints we allow the Keycloak server to select the correct URLs based on the request. With
KEYCLOAK-11728 Keycloak will by use the frontend URL for authorization_endpoint (which is loaded by user agent), issuer (in order to have the issuer consistent regardless of URL used to contact Keycloak) and any emails sent to users will use frontend URL as well.
We will not support setting the issuer field separately as that is only solving one part of the problem, as it would only solve part of the problem, and this approach solves all the issues with using different URLs.
The previous proposal of having separate URLs for frontend and backchannel requests in the client would mean it would be more work to configure clients as it would require two URLs. With this approach the client only needs to know what address to contact Keycloak on and doesn't have to know the frontend/public URL as that will be advertised by the Keycloak server itself.