Description

We have developed a dynamic hostname provider which uses the request url to create the frontendurls. This in turn makes the issuer in the tokens to be the domain used for the auth request. Then we're using a backchannel domain that is different and sometimes even a direct ip.
Code to token works ok, but then it fails on refresh token with Invalid token issuer. Expected ...

So my request is to make this issuer check configurable for the whole keycloak (not per realm), and be turned on by default.
I have investigated on how we could change our custom hostname provider but since we can't know the original domain used in first request, this check is impossible to assertTrue for us.

Discussion

No response

Motivation

Make keycloak more configurable to the environment it's used in

Details

No response