Hi, Alexander,

   We deploy the  client application server (wildfly) and auth server (keycloak) in the same machine.    
  The  web app url is :     http://ourhost.com/hello/index.html
   the  auth server is        https://ourhost.com/auth

  then the setup in keycloak.json should be :

   
"auth-server-url": "/auth",
"auth-server-url-for-backend-requests": "https://ourhost/auth"

  This can reduce the round trip?


Thanks a lot 







On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz <alexander.schwartz@gmx.net> wrote:


During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token.
 
In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json.
 
If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json
 
Best regards,
Alexander
 
--
Alexander Schwartz (alexander.schwartz@gmx.net)
http://www.ahus1.de
 
 
Gesendet: Mittwoch, 20. Januar 2016 um 05:23 Uhr
Von: "Mai Zi" <ornot2008@yahoo.com>
An: Keycloak-user <keycloak-user@lists.jboss.org>
Betreff: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?
We get lots of errors like this:
 
2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out
 
 
and which makes the login slow or failed .
 
 
We are using keycloak 1.7.0 final  and broke a SAML 2.0 IDP (ADFS).  The wildfly app server  and keycloak both are standalone.