It would be nice if the ReCAPTCHA and Social identity providers worked behind a web proxy. It can be fixed by configuring proxy host on Apache HttpClient as it is in this Apache example: https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientExecuteProxy.java

The problem is when external requests are blocked and must be sent via proxy. This is the case of identity brokering (social providers) and ReCAPTCHA. Social identity providers worked before version 3.0.0.CR1, because they used HttpURLConnection under the covers (where proxy can be configured with JVM parameters), not the Apache HttpClient. But this changed with KEYCLOAK-2486. So the social providers may also cause problems when upgrading.