
<html><head></head><body><div style="color:#000; background-color:#fff; font-family:garamond, new york, times, serif;font-size:14px"><div id="yui_3_16_0_1_1453279005988_15596"><span id="yui_3_16_0_1_1453279005988_15884">I finally figure it out for my case as below:</span></div><div id="yui_3_16_0_1_1453279005988_15596"><span><br></span></div><div id="yui_3_16_0_1_1453279005988_15596"><span id="yui_3_16_0_1_1453279005988_15945">My case:</span></div><div id="yui_3_16_0_1_1453279005988_15596"><span><br></span></div><div id="yiv9129191185yui_3_16_0_1_1453279005988_2861" class=""><span id="yiv9129191185yui_3_16_0_1_1453279005988_3052" class="">The &nbsp;web app url is : &nbsp; &nbsp;&nbsp;<a rel="nofollow" shape="rect" id="yiv9129191185yui_3_16_0_1_1453279005988_3049" target="_blank" href="http://ourhost.com/hello/index.html" style="color: rgb(25, 106, 212);" class="">http://ourhost.com/hello/index.html</a></span></div><div dir="ltr" id="yiv9129191185yui_3_16_0_1_1453279005988_2861" class="">&nbsp;the &nbsp;auth server is &nbsp; &nbsp; &nbsp; &nbsp;https://ourhost.com/auth</div><div dir="ltr" id="yui_3_16_0_1_1453279005988_15841" class=""><br id="yui_3_16_0_1_1453279005988_15843" class=""></div><div dir="ltr" id="yui_3_16_0_1_1453279005988_15841" class="">My configuration:</div><div id="yui_3_16_0_1_1453279005988_15596"><span><br></span></div><div id="yui_3_16_0_1_1453279005988_15596" dir="ltr"><span>&nbsp;&nbsp;</span><span style="color: rgb(51, 51, 51); font-family: courrier, monospace; font-size: 0.9em; white-space: pre-wrap; background-color: rgb(245, 245, 245);" id="yui_3_16_0_1_1453279005988_15824" class="">"auth-server-url": "<span style="color: rgb(0, 0, 0); font-family: garamond, 'new york', times, serif; font-size: 14px; white-space: normal; background-color: rgb(255, 255, 255);" id="yui_3_16_0_1_1453279005988_15897" class=""><a href="https://ourhost.com/auth" id="yui_3_16_0_1_1453279005988_15895">https://ourhost.com/auth</a></span>",</span></div><pre class="" id="yiv9129191185yui_3_16_0_1_1453279005988_3273" style="font-family: courrier, monospace; font-size: 0.9em; color: rgb(51, 51, 51); overflow: auto; padding: 5px 15px 5px 25px; border: 1px solid rgb(204, 204, 204); background-color: rgb(245, 245, 245);">"auth-server-url-for-backend-requests": "http://localhost/auth"</pre><div id="yui_3_16_0_1_1453279005988_15596"><br></div><div id="yui_3_16_0_1_1453279005988_15596"><br></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: garamond, new york, times, serif; font-size: 14px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Wednesday, January 20, 2016 5:33 PM, Mai Zi &lt;ornot2008@yahoo.com&gt; wrote:<br></font></div>  <br><br> <div class="y_msg_container"><div id="yiv6716640628"><div><div style="color:#000;background-color:#fff;font-family:garamond, new york, times, serif;font-size:14px;"><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062"><span id="yiv6716640628yui_3_16_0_1_1453279005988_7411">Hi,&nbsp;</span></div><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062"><br clear="none"></div><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062">In the user guide can find these :</div><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062"><br clear="none"></div><div class="yiv6716640628" id="yiv6716640628yui_3_16_0_1_1453279005988_7347">For cluster setup, it may be even better to use option&nbsp;<span class="yiv6716640628" id="yiv6716640628yui_3_16_0_1_1453279005988_7349"><em class="yiv6716640628" id="yiv6716640628yui_3_16_0_1_1453279005988_7351">auth-server-url-for-backend-request</em></span>&nbsp;. This allows to configure that backend requests between Keycloak and your application will be sent directly to same cluster host without additional round-trip through loadbalancer. So for this, it's good to configure values in<code class="yiv6716640628" id="yiv6716640628yui_3_16_0_1_1453279005988_7353" style="font-size:0.9em;font-family:courrier, monospace;white-space:nowrap;">WEB-INF/keycloak.json</code>&nbsp;like this:</div><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062"><a rel="nofollow" shape="rect" class="yiv6716640628" id="yiv6716640628relative-uri-optimization" style="color:rgb(51, 51, 51);font-family:'Lucida Grande', Geneva, Verdana, Arial, sans-serif;font-size:12px;line-height:18px;text-align:justify;" href=""></a></div><pre class="yiv6716640628" id="yiv6716640628yui_3_16_0_1_1453279005988_7356" style="font-size:0.9em;font-family:courrier, monospace;display:block;color:rgb(51, 51, 51);overflow:auto;padding:5px 15px 5px 25px;border:1px solid rgb(204, 204, 204);background-color:rgb(245, 245, 245);">"auth-server-url": "/auth",

"auth-server-url-for-backend-requests": "http://${jboss.host.name}:8080/auth"</pre><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062"><br clear="none"></div><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062"><br clear="none"></div><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062">but I can not understand it yet. &nbsp; Suppose my case, is there &nbsp;any recommendation ? &nbsp;</div><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062"><br clear="none"></div><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062"><br clear="none"></div><div id="yiv6716640628yui_3_16_0_1_1453279005988_7062">(BTW: &nbsp;I found the reply will be listed in a separated &nbsp;thread when reply from email. &nbsp;I am very sorry. )&nbsp;</div> <div class="yiv6716640628qtdSeparateBR" id="yiv6716640628yui_3_16_0_1_1453279005988_7110"><br clear="none"><br clear="none"></div><div class="yiv6716640628yqt0709327038" id="yiv6716640628yqt79988"><div class="yiv6716640628yahoo_quoted" id="yiv6716640628yui_3_16_0_1_1453279005988_7094" style="display:block;"> <div id="yiv6716640628yui_3_16_0_1_1453279005988_7093" style="font-family:garamond, new york, times, serif;font-size:14px;"> <div id="yiv6716640628yui_3_16_0_1_1453279005988_7092" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr" id="yiv6716640628yui_3_16_0_1_1453279005988_7109"><font id="yiv6716640628yui_3_16_0_1_1453279005988_7108" size="2" face="Arial"> On Wednesday, January 20, 2016 5:16 PM, Alexander Schwartz &lt;alexander.schwartz@gmx.net&gt; wrote:<br clear="none"></font></div>  <br clear="none"><br clear="none"> <div class="yiv6716640628y_msg_container" id="yiv6716640628yui_3_16_0_1_1453279005988_7091"><div id="yiv6716640628"><div id="yiv6716640628yui_3_16_0_1_1453279005988_7090"><div id="yiv6716640628yui_3_16_0_1_1453279005988_7089" style="font-family:Verdana;font-size:12.0px;"><div id="yiv6716640628yui_3_16_0_1_1453279005988_7096">Hi,</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7095">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7088">I am not sure what you mean with "the round trip" here.</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7107">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7106">My recommendation is that auth-server-url should always contain a fully qualified URL. I have actually never tried to use it without a fully qualified URL.</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7105">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7104">If you choose not to use a fully qualified URL in auth-server-url, you *must* set auth-server-url-for-backend-requests for a fully qualified URL (including protocol, host, etc.)</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7097">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7103">I believe you are operating keycloak and wildfly behind a reverse proxy (maybe nginx?)</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7102">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7101">Best regards,</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7100">Alexander</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7099">&nbsp;</div>


<div class="yiv6716640628signature" id="yiv6716640628yui_3_16_0_1_1453279005988_7098">--<br clear="none">

Alexander Schwartz (alexander.schwartz@gmx.net)<br clear="none">

http://www.ahus1.de</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_7164">&nbsp;

<div id="yiv6716640628yui_3_16_0_1_1453279005988_7165">&nbsp;

<div id="yiv6716640628yui_3_16_0_1_1453279005988_7166" style="margin:10px 5px 5px 10px;padding:10px 0 10px 10px;border-left:2px solid #C3D9E5;word-wrap:break-word;">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_7167" style="margin:0 0 10px 0;"><b id="yiv6716640628yui_3_16_0_1_1453279005988_7672">Gesendet:</b>&nbsp;Mittwoch, 20. Januar 2016 um 09:57 Uhr<br clear="none">

<b id="yiv6716640628yui_3_16_0_1_1453279005988_7673">Von:</b>&nbsp;"Mai Zi" &lt;ornot2008@yahoo.com&gt;<br clear="none">

<b id="yiv6716640628yui_3_16_0_1_1453279005988_7674">An:</b>&nbsp;"Alexander Schwartz" &lt;alexander.schwartz@gmx.net&gt;, Keycloak-user &lt;keycloak-user@lists.jboss.org&gt;<br clear="none">

<b id="yiv6716640628yui_3_16_0_1_1453279005988_7675">Betreff:</b>&nbsp;Re: Aw: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?</div>


<div class="yiv6716640628yqt3872443301" id="yiv6716640628yqt73468"><div>

<div style="color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:garamond , new york , times , serif;font-size:14.0px;">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861"><span>Hi, Alexander,</span></div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861"><span id="yiv6716640628yui_3_16_0_1_1453279005988_3248">&nbsp; &nbsp;We deploy the &nbsp;client application server (wildfly) and auth server (keycloak) in the same machine. &nbsp; &nbsp;</span></div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861"><span id="yiv6716640628yui_3_16_0_1_1453279005988_3052">&nbsp; The &nbsp;web app url is : &nbsp; &nbsp; <a rel="nofollow" shape="rect" id="yiv6716640628yui_3_16_0_1_1453279005988_3049" target="_blank" href="http://ourhost.com/hello/index.html">http://ourhost.com/hello/index.html</a></span></div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp; &nbsp;the &nbsp;auth server is &nbsp; &nbsp; &nbsp; &nbsp;<a rel="nofollow" shape="rect" target="_blank" href="https://ourhost.com/auth">https://ourhost.com/auth</a></div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp; then the setup in keycloak.json should be :</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp; &nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861"></div>


<pre id="yiv6716640628yui_3_16_0_1_1453279005988_3273" style="font-size:0.9em;font-family:courrier , monospace;display:block;color:rgb(51,51,51);overflow:auto;padding:5.0px 15.0px 5.0px 25.0px;border:1.0px solid rgb(204,204,204);background-color:rgb(245,245,245);">"auth-server-url": "/auth",

"auth-server-url-for-backend-requests": "https://ourhost/auth"

</pre>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp; This can reduce the round trip?</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">Thanks a lot&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2861">&nbsp;</div>


<div class="yiv6716640628qtdSeparateBR" id="yiv6716640628yui_3_16_0_1_1453279005988_2918"><br clear="none">

&nbsp;</div>


<div class="yiv6716640628yahoo_quoted" id="yiv6716640628yui_3_16_0_1_1453279005988_2913" style="display:block;">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2912" style="font-family:garamond , new york , times , serif;font-size:14.0px;">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2911" style="font-family:HelveticaNeue , Helvetica Neue , Helvetica , Arial , Lucida Grande , sans-serif;font-size:16.0px;">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2917"><font id="yiv6716640628yui_3_16_0_1_1453279005988_2916" face="Arial" size="2">On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz &lt;alexander.schwartz@gmx.net&gt; wrote:</font></div>

&nbsp;


<div class="yiv6716640628y_msg_container" id="yiv6716640628yui_3_16_0_1_1453279005988_2910">

<div id="yiv6716640628">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2909">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2908" style="font-family:Verdana;font-size:12.0px;">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2915">During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token.</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2914">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2907">In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json.</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2990">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2989">If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2988">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2987">Best regards,</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2978">Alexander</div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2986">&nbsp;</div>


<div class="yiv6716640628signature" id="yiv6716640628yui_3_16_0_1_1453279005988_2985">--<br clear="none">

Alexander Schwartz (alexander.schwartz@gmx.net)<br clear="none">

<a rel="nofollow" shape="rect" target="_blank" href="http://www.ahus1.de/">http://www.ahus1.de</a></div>


<div id="yiv6716640628yui_3_16_0_1_1453279005988_2983">&nbsp;

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2982">&nbsp;

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2981" style="margin:10.0px 5.0px 5.0px 10.0px;padding:10.0px 0 10.0px 10.0px;border-left:2.0px solid rgb(195,217,229);">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2984" style="margin:0 0 10.0px 0;"><b>Gesendet:</b>&nbsp;Mittwoch, 20. Januar 2016 um 05:23 Uhr<br clear="none">

<b>Von:</b>&nbsp;"Mai Zi" &lt;ornot2008@yahoo.com&gt;<br clear="none">

<b>An:</b>&nbsp;Keycloak-user &lt;keycloak-user@lists.jboss.org&gt;<br clear="none">

<b>Betreff:</b>&nbsp;[keycloak-user] What can bring this error "failed to turn code into token" over and over again?</div>


<div class="yiv6716640628yqt9364272955" id="yiv6716640628yqt99376">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2980">

<div id="yiv6716640628yui_3_16_0_1_1453279005988_2979" style="color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:garamond , new york , times , serif;font-size:14.0px;">

<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">We get lots of errors like this:</div>


<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out</div>


<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">and which makes the login slow or failed .</div>


<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">We are using keycloak 1.7.0 final &nbsp;and broke a SAML 2.0 IDP (ADFS). &nbsp;The wildfly app server &nbsp;and keycloak both are standalone.&nbsp;</div>


<div id="yiv6716640628yui_3_16_0_1_1453262753340_2506">&nbsp;</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<br clear="none">

&nbsp;</div>

</div>

</div>

</div>

</div>

</div></div>

</div>

</div>

</div></div></div></div><br clear="none"><br clear="none"></div>  </div> </div>  </div></div></div></div></div><br><br></div>  </div> </div>  </div></div></body></html>