Pfsense/haproxy, nextcloud/social login and keycloak

Nextcloud version (eg, 20.0.5): 22.2.3
Operating system and version (eg, Ubuntu 20.04): debian 11
Apache or nginx version (eg, Apache 2.4.25): Apache (as per
PHP version (eg, 7.4): 8.0.14

The issue you are facing:
I have been running Nextcloud in my home lab behind haproxy (on pfSense) for a few months now and it is working perfectly fine.

Now I am trying to combine it with Keycloak for the login process. I have just set up Keycloak and am running it in production mode.

On Nextcloud I installed the social login app and configured it to use Keycloak. In Keycloak I set up a realm, a client and a test user for Nextcloud.

When I go to the login page of Nextcloud, I am presented with a Keycloak login button and when I click it, I am redirected to Keycloak where I can enter the credentials of the test user. But after authentication, the redirection back to Nextcloud does not work: I get a 504 Timeout error from haproxy.

Is this the first time you’ve seen this error? (Y/N):

Steps to replicate it:

  1. Set up haproxy
  2. set up Nextcloud with Social Login
  3. set up Keycloak

The output of your Nextcloud log in Admin > Logging:

(Nothing with respect to the login attempt)

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => 'xxx',
    1 => 'xxx',
  ),
  'datadirectory' => '/mnt/nextcloud-data',
  'dbtype' => 'mysql',
  'version' => '22.2.3.0',
  'overwrite.cli.url' => 'https://xxx',
  'dbname' => 'nextcloud',
  'dbhost' => 'db',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxx',
  'dbpassword' => 'xxx',
  'installed' => true,
  'overwritehost' => 'xxx',
  'overwriteprotocol' => 'https',
  'twofactor_enforced' => 'true',
  'twofactor_enforced_groups' => 
  array (
    0 => 'admin',
  ),
  'twofactor_enforced_excluded_groups' => 
  array (
  ),
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'nextcloud',
  'mail_domain' => 'xxx',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'xxx',
  'mail_smtpname' => 'xxxg',
  'mail_smtppassword' => 'xxx',
  'mail_smtpport' => 'xx',
  'mail_smtpstreamoptions' => 
  array (
    'ssl' => 
    array (
      'allow_self_signed' => 'true',
      'verify_peer' => 'false',
      'verify_peer_name' => 'false',
    ),
  ),
  'updater.secret' => 'xxx',
  'loglevel' => 2,
  'maintenance' => false,
  'theme' => '',
);

Maybe the config of the social login app is more relevant here:
Authorize url: https://login.example.com/realms/example/protocol/openid-connect/auth
Token url: https://login.example.com/realms/example/protocol/openid-connect/token
Display name claim: empty
User info url: empty
Logout url: empty
Client Id: nextcloud
Client Secret xxxxx
Scope openid
Groups claim (optional) roles
Button style Keycloak
Default group None

The output of your Apache/nginx/system log in /var/log/____:

Can't find anything of relevance.

Any ideas?