<html><head></head><body><div style="color:#000; background-color:#fff; font-family:garamond, new york, times, serif;font-size:14px"><div id="yui_3_16_0_1_1453279005988_7062"><span id="yui_3_16_0_1_1453279005988_7411">Hi, </span></div><div id="yui_3_16_0_1_1453279005988_7062"><br></div><div id="yui_3_16_0_1_1453279005988_7062">In the user guide can find these :</div><div id="yui_3_16_0_1_1453279005988_7062"><br></div><div id="yui_3_16_0_1_1453279005988_7347" class="">For cluster setup, it may be even better to use option <span class="" id="yui_3_16_0_1_1453279005988_7349"><em id="yui_3_16_0_1_1453279005988_7351" class="">auth-server-url-for-backend-request</em></span> . This allows to configure that backend requests between Keycloak and your application will be sent directly to same cluster host without additional round-trip through loadbalancer. So for this, it's good to configure values in<code class="" style="font-size: 0.9em; font-family: courrier, monospace; white-space: nowrap;" id="yui_3_16_0_1_1453279005988_7353">WEB-INF/keycloak.json</code> like this:</div><div id="yui_3_16_0_1_1453279005988_7062"><a id="relative-uri-optimization" style="color: rgb(51, 51, 51); font-family: 'Lucida Grande', Geneva, Verdana, Arial, sans-serif; font-size: 12px; line-height: 18px; text-align: justify;" class="" href=""></a></div><pre xmlns="" xmlns:d="http://docbook.org/ns/docbook" xmlns:rf="java:org.jboss.highlight.XhtmlRendererFactory" class="" style="font-size: 0.9em; font-family: courrier, monospace; display: block; color: rgb(51, 51, 51); overflow: auto; padding: 5px 15px 5px 25px; border: 1px solid rgb(204, 204, 204); background-color: rgb(245, 245, 245);" id="yui_3_16_0_1_1453279005988_7356">"auth-server-url": "/auth",
"auth-server-url-for-backend-requests": "http://${jboss.host.name}:8080/auth"</pre><div id="yui_3_16_0_1_1453279005988_7062"><br></div><div id="yui_3_16_0_1_1453279005988_7062"><br></div><div id="yui_3_16_0_1_1453279005988_7062">but I can not understand it yet. Suppose my case, is there any recommendation ? </div><div id="yui_3_16_0_1_1453279005988_7062"><br></div><div id="yui_3_16_0_1_1453279005988_7062"><br></div><div id="yui_3_16_0_1_1453279005988_7062">(BTW: I found the reply will be listed in a separated thread when reply from email. I am very sorry. ) </div> <div class="qtdSeparateBR" id="yui_3_16_0_1_1453279005988_7110"><br><br></div><div class="yahoo_quoted" id="yui_3_16_0_1_1453279005988_7094" style="display: block;"> <div style="font-family: garamond, new york, times, serif; font-size: 14px;" id="yui_3_16_0_1_1453279005988_7093"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" id="yui_3_16_0_1_1453279005988_7092"> <div dir="ltr" id="yui_3_16_0_1_1453279005988_7109"><font size="2" face="Arial" id="yui_3_16_0_1_1453279005988_7108"> On Wednesday, January 20, 2016 5:16 PM, Alexander Schwartz <alexander.schwartz@gmx.net> wrote:<br></font></div> <br><br> <div class="y_msg_container" id="yui_3_16_0_1_1453279005988_7091"><div id="yiv3948962181"><div id="yui_3_16_0_1_1453279005988_7090"><div style="font-family:Verdana;font-size:12.0px;" id="yui_3_16_0_1_1453279005988_7089"><div id="yui_3_16_0_1_1453279005988_7096">Hi,</div>
<div id="yui_3_16_0_1_1453279005988_7095"> </div>
<div id="yui_3_16_0_1_1453279005988_7088">I am not sure what you mean with "the round trip" here.</div>
<div id="yui_3_16_0_1_1453279005988_7107"> </div>
<div id="yui_3_16_0_1_1453279005988_7106">My recommendation is that auth-server-url should always contain a fully qualified URL. I have actually never tried to use it without a fully qualified URL.</div>
<div id="yui_3_16_0_1_1453279005988_7105"> </div>
<div id="yui_3_16_0_1_1453279005988_7104">If you choose not to use a fully qualified URL in auth-server-url, you *must* set auth-server-url-for-backend-requests for a fully qualified URL (including protocol, host, etc.)</div>
<div id="yui_3_16_0_1_1453279005988_7097"> </div>
<div id="yui_3_16_0_1_1453279005988_7103">I believe you are operating keycloak and wildfly behind a reverse proxy (maybe nginx?)</div>
<div id="yui_3_16_0_1_1453279005988_7102"> </div>
<div id="yui_3_16_0_1_1453279005988_7101">Best regards,</div>
<div id="yui_3_16_0_1_1453279005988_7100">Alexander</div>
<div id="yui_3_16_0_1_1453279005988_7099"> </div>
<div class="yiv3948962181signature" id="yui_3_16_0_1_1453279005988_7098">--<br clear="none">
Alexander Schwartz (alexander.schwartz@gmx.net)<br clear="none">
http://www.ahus1.de</div>
<div id="yui_3_16_0_1_1453279005988_7164">
<div id="yui_3_16_0_1_1453279005988_7165">
<div style="margin:10px 5px 5px 10px;padding:10px 0 10px 10px;border-left:2px solid #C3D9E5;word-wrap:break-word;" id="yui_3_16_0_1_1453279005988_7166">
<div style="margin:0 0 10px 0;" id="yui_3_16_0_1_1453279005988_7167"><b id="yui_3_16_0_1_1453279005988_7672">Gesendet:</b> Mittwoch, 20. Januar 2016 um 09:57 Uhr<br clear="none">
<b id="yui_3_16_0_1_1453279005988_7673">Von:</b> "Mai Zi" <ornot2008@yahoo.com><br clear="none">
<b id="yui_3_16_0_1_1453279005988_7674">An:</b> "Alexander Schwartz" <alexander.schwartz@gmx.net>, Keycloak-user <keycloak-user@lists.jboss.org><br clear="none">
<b id="yui_3_16_0_1_1453279005988_7675">Betreff:</b> Re: Aw: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?</div>
<div class="yiv3948962181yqt3872443301" id="yiv3948962181yqt73468"><div>
<div style="color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:garamond , new york , times , serif;font-size:14.0px;">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"><span>Hi, Alexander,</span></div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"><span id="yiv3948962181yui_3_16_0_1_1453279005988_3248"> We deploy the client application server (wildfly) and auth server (keycloak) in the same machine. </span></div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"><span id="yiv3948962181yui_3_16_0_1_1453279005988_3052"> The web app url is : <a rel="nofollow" shape="rect" id="yiv3948962181yui_3_16_0_1_1453279005988_3049" target="_blank" href="http://ourhost.com/hello/index.html">http://ourhost.com/hello/index.html</a></span></div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> the auth server is <a rel="nofollow" shape="rect" target="_blank" href="https://ourhost.com/auth">https://ourhost.com/auth</a></div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> then the setup in keycloak.json should be :</div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"></div>
<pre id="yiv3948962181yui_3_16_0_1_1453279005988_3273" style="font-size:0.9em;font-family:courrier , monospace;display:block;color:rgb(51,51,51);overflow:auto;padding:5.0px 15.0px 5.0px 25.0px;border:1.0px solid rgb(204,204,204);background-color:rgb(245,245,245);">"auth-server-url": "/auth",
"auth-server-url-for-backend-requests": "https://ourhost/auth"
</pre>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> This can reduce the round trip?</div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861">Thanks a lot </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2861"> </div>
<div class="yiv3948962181qtdSeparateBR" id="yiv3948962181yui_3_16_0_1_1453279005988_2918"><br clear="none">
</div>
<div class="yiv3948962181yahoo_quoted" id="yiv3948962181yui_3_16_0_1_1453279005988_2913" style="display:block;">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2912" style="font-family:garamond , new york , times , serif;font-size:14.0px;">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2911" style="font-family:HelveticaNeue , Helvetica Neue , Helvetica , Arial , Lucida Grande , sans-serif;font-size:16.0px;">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2917"><font id="yiv3948962181yui_3_16_0_1_1453279005988_2916" face="Arial" size="2">On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz <alexander.schwartz@gmx.net> wrote:</font></div>
<div class="yiv3948962181y_msg_container" id="yiv3948962181yui_3_16_0_1_1453279005988_2910">
<div id="yiv3948962181">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2909">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2908" style="font-family:Verdana;font-size:12.0px;">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2915">During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token.</div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2914"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2907">In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json.</div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2990"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2989">If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json</div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2988"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2987">Best regards,</div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2978">Alexander</div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2986"> </div>
<div class="yiv3948962181signature" id="yiv3948962181yui_3_16_0_1_1453279005988_2985">--<br clear="none">
Alexander Schwartz (alexander.schwartz@gmx.net)<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://www.ahus1.de/">http://www.ahus1.de</a></div>
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2983">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2982">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2981" style="margin:10.0px 5.0px 5.0px 10.0px;padding:10.0px 0 10.0px 10.0px;border-left:2.0px solid rgb(195,217,229);">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2984" style="margin:0 0 10.0px 0;"><b>Gesendet:</b> Mittwoch, 20. Januar 2016 um 05:23 Uhr<br clear="none">
<b>Von:</b> "Mai Zi" <ornot2008@yahoo.com><br clear="none">
<b>An:</b> Keycloak-user <keycloak-user@lists.jboss.org><br clear="none">
<b>Betreff:</b> [keycloak-user] What can bring this error "failed to turn code into token" over and over again?</div>
<div class="yiv3948962181yqt9364272955" id="yiv3948962181yqt99376">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2980">
<div id="yiv3948962181yui_3_16_0_1_1453279005988_2979" style="color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:garamond , new york , times , serif;font-size:14.0px;">
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506">We get lots of errors like this:</div>
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506">2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out</div>
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506">and which makes the login slow or failed .</div>
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506"> </div>
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506">We are using keycloak 1.7.0 final and broke a SAML 2.0 IDP (ADFS). The wildfly app server and keycloak both are standalone. </div>
<div id="yiv3948962181yui_3_16_0_1_1453262753340_2506"> </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br clear="none">
</div>
</div>
</div>
</div>
</div>
</div></div>
</div>
</div>
</div></div></div></div><br><br></div> </div> </div> </div></div></body></html>