fix: use server-side KEYCLOAK_URL for container-to-container JWT verification

Rashmil-1999 · Rashmil-1999 · commit 744ca3b5f292 · 2026-02-16T20:23:48.000-06:00
In Docker, the frontend container's middleware resolves NEXT_PUBLIC_KEYCLOAK_URL
(http://localhost:8080) to itself instead of the keycloak container, causing
ECONNREFUSED. Prefer the runtime KEYCLOAK_URL env var (http://keycloak:8080)
on the server side for proper Docker DNS resolution.
diff --git a/src/utils/authHelpers.ts b/src/utils/authHelpers.ts
@@ -40,6 +40,11 @@ export const getKeycloakBaseUrl = () => {
 
 // backend
 export function getKeycloakBaseFromHost(hostname: string | undefined): string {
+  // Server-side: prefer KEYCLOAK_URL for container-to-container communication
+  if (typeof window === 'undefined' && process.env.KEYCLOAK_URL) {
+    return process.env.KEYCLOAK_URL
+  }
+
   if (
     process.env.NEXT_PUBLIC_KEYCLOAK_URL &&
     process.env.NEXT_PUBLIC_KEYCLOAK_URL.trim() !== ''
