Hi,
In the user guide can find these :
For cluster setup, it may be even better to use option auth-server-url-for-backend-request . This allows to configure that backend requests between Keycloak and your application will be sent directly to same cluster host without additional round-trip through loadbalancer. So for this, it's good to configure values inWEB-INF/keycloak.json like this:
"auth-server-url": "/auth",
"auth-server-url-for-backend-requests": "http://${jboss.host.name}:8080/auth"
but I can not understand it yet. Suppose my case, is there any recommendation ?
(BTW: I found the reply will be listed in a separated thread when reply from email. I am very sorry. )
On Wednesday, January 20, 2016 5:16 PM, Alexander Schwartz <alexander.schwartz@gmx.net> wrote:
Hi,
I am not sure what you mean with "the round trip" here.
My recommendation is that auth-server-url should always contain a fully qualified URL. I have actually never tried to use it without a fully qualified URL.
If you choose not to use a fully qualified URL in auth-server-url, you *must* set auth-server-url-for-backend-requests for a fully qualified URL (including protocol, host, etc.)
I believe you are operating keycloak and wildfly behind a reverse proxy (maybe nginx?)
Best regards,
Alexander
--
Alexander Schwartz (alexander.schwartz@gmx.net)
http://www.ahus1.de
Gesendet: Mittwoch, 20. Januar 2016 um 09:57 Uhr
Von: "Mai Zi" <ornot2008@yahoo.com>
An: "Alexander Schwartz" <alexander.schwartz@gmx.net>, Keycloak-user <keycloak-user@lists.jboss.org>
Betreff: Re: Aw: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?
Hi, Alexander,
We deploy the client application server (wildfly) and auth server (keycloak) in the same machine.
then the setup in keycloak.json should be :
"auth-server-url": "/auth",
"auth-server-url-for-backend-requests": "https://ourhost/auth"
This can reduce the round trip?
Thanks a lot
On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz <alexander.schwartz@gmx.net> wrote:
During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token.
In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json.
If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json
Best regards,
Alexander
Gesendet: Mittwoch, 20. Januar 2016 um 05:23 Uhr
Von: "Mai Zi" <ornot2008@yahoo.com>
An: Keycloak-user <keycloak-user@lists.jboss.org>
Betreff: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?
We get lots of errors like this:
2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out
and which makes the login slow or failed .
We are using keycloak 1.7.0 final and broke a SAML 2.0 IDP (ADFS). The wildfly app server and keycloak both are standalone.