[keycloak-user] What can bring this error "failed to turn code into token" over and over again?
Mai Zi
ornot2008 at yahoo.com
Wed Jan 20 04:33:06 EST 2016
Hi,
In the user guide can find these :
For cluster setup, it may be even better to use option auth-server-url-for-backend-request . This allows to configure that backend requests between Keycloak and your application will be sent directly to same cluster host without additional round-trip through loadbalancer. So for this, it's good to configure values inWEB-INF/keycloak.json like this:"auth-server-url": "/auth",
"auth-server-url-for-backend-requests": "http://${jboss.host.name}:8080/auth"
but I can not understand it yet. Suppose my case, is there any recommendation ?
(BTW: I found the reply will be listed in a separated thread when reply from email. I am very sorry. )
On Wednesday, January 20, 2016 5:16 PM, Alexander Schwartz <alexander.schwartz at gmx.net> wrote:
Hi, I am not sure what you mean with "the round trip" here. My recommendation is that auth-server-url should always contain a fully qualified URL. I have actually never tried to use it without a fully qualified URL. If you choose not to use a fully qualified URL in auth-server-url, you *must* set auth-server-url-for-backend-requests for a fully qualified URL (including protocol, host, etc.) I believe you are operating keycloak and wildfly behind a reverse proxy (maybe nginx?) Best regards,Alexander --
Alexander Schwartz (alexander.schwartz at gmx.net)
http://www.ahus1.de Gesendet: Mittwoch, 20. Januar 2016 um 09:57 Uhr
Von: "Mai Zi" <ornot2008 at yahoo.com>
An: "Alexander Schwartz" <alexander.schwartz at gmx.net>, Keycloak-user <keycloak-user at lists.jboss.org>
Betreff: Re: Aw: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?Hi, Alexander, We deploy the client application server (wildfly) and auth server (keycloak) in the same machine. The web app url is : http://ourhost.com/hello/index.html the auth server is https://ourhost.com/auth then the setup in keycloak.json should be : "auth-server-url": "/auth",
"auth-server-url-for-backend-requests": "https://ourhost/auth"
This can reduce the round trip? Thanks a lot
On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz <alexander.schwartz at gmx.net> wrote: During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token. In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json. If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json Best regards,Alexander --
Alexander Schwartz (alexander.schwartz at gmx.net)
http://www.ahus1.de Gesendet: Mittwoch, 20. Januar 2016 um 05:23 Uhr
Von: "Mai Zi" <ornot2008 at yahoo.com>
An: Keycloak-user <keycloak-user at lists.jboss.org>
Betreff: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?We get lots of errors like this: 2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out and which makes the login slow or failed . We are using keycloak 1.7.0 final and broke a SAML 2.0 IDP (ADFS). The wildfly app server and keycloak both are standalone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/75aef049/attachment.html
More information about the keycloak-user
mailing list