During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token.

In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json.

If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json

Best regards,

Alexander

--
Alexander Schwartz (alexander.schwartz@gmx.net)
http://www.ahus1.de

Gesendet: Mittwoch, 20. Januar 2016 um 05:23 Uhr
Von: "Mai Zi" <ornot2008@yahoo.com>
An: Keycloak-user <keycloak-user@lists.jboss.org>
Betreff: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?

We get lots of errors like this:

2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out

and which makes the login slow or failed .

We are using keycloak 1.7.0 final and broke a SAML 2.0 IDP (ADFS). The wildfly app server and keycloak both are standalone.