3:33 a.m.
Hi,
In the user guide can find these :
For cluster setup, it may be even better to use
option auth-server-url-for-backend-request . This allows to configure that backend
requests between Keycloak and your application will be sent directly to same cluster host
without additional round-trip through loadbalancer. So for this, it's good to
configure values inWEB-INF/keycloak.json like this:"auth-server-url":
"/auth",
"auth-server-url-for-backend-requests":
"http://${jboss.host.name}:8080/auth"
but I can not understand it yet. Suppose my case, is there any recommendation ?
(BTW: I found the reply will be listed in a separated thread when reply from email. I
am very sorry. )
On Wednesday, January 20, 2016 5:16 PM, Alexander Schwartz
<alexander.schwartz(a)gmx.net> wrote:
Hi, I am not sure what you mean with "the round trip" here. My recommendation
is that auth-server-url should always contain a fully qualified URL. I have actually never
tried to use it without a fully qualified URL. If you choose not to use a fully qualified
URL in auth-server-url, you *must* set auth-server-url-for-backend-requests for a fully
qualified URL (including protocol, host, etc.) I believe you are operating keycloak and
wildfly behind a reverse proxy (maybe nginx?) Best regards,Alexander --
Alexander Schwartz (alexander.schwartz(a)gmx.net)
http://www.ahus1.de Gesendet: Mittwoch, 20. Januar 2016 um 09:57 Uhr
Von: "Mai Zi" <ornot2008(a)yahoo.com>
An: "Alexander Schwartz" <alexander.schwartz(a)gmx.net>, Keycloak-user
<keycloak-user(a)lists.jboss.org>
Betreff: Re: Aw: [keycloak-user] What can bring this error "failed to turn code into
token" over and over again?Hi, Alexander, We deploy the client application server
(wildfly) and auth server (keycloak) in the same machine. The web app url is :
http://ourhost.com/hello/index.html the auth server is
https://ourhost.com/auth then the setup in keycloak.json should be :
"auth-server-url": "/auth",
"auth-server-url-for-backend-requests": "https://ourhost/auth"
This can reduce the round trip? Thanks a lot
On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz
<alexander.schwartz(a)gmx.net> wrote: During the last phase of OAuth negotation the
client application (here: wildfly) will contact the oauth server (here: keycloak) to
change the code into a token. In order to work the client application (here: wildfly) must
be able to contact the keycloak server using the auth-server-url given in
keycloak.json. If this URL is only accessible browsers from external / via a load
balancer, and client application should use a different (direct) URL to reach the keycloak
server you can specify auth-server-url-for-backend-requests in your keycloak.json Best
regards,Alexander --
Alexander Schwartz (alexander.schwartz(a)gmx.net)
http://www.ahus1.de Gesendet: Mittwoch, 20. Januar 2016 um 05:23 Uhr
Von: "Mai Zi" <ornot2008(a)yahoo.com>
An: Keycloak-user <keycloak-user(a)lists.jboss.org>
Betreff: [keycloak-user] What can bring this error "failed to turn code into
token" over and over again?We get lots of errors like this: 2016-01-20 12:02:37,441
ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn
code into token: java.net.SocketException: Connection timed out and which makes the login
slow or failed . We are using keycloak 1.7.0 final and broke a SAML 2.0 IDP (ADFS). The
wildfly app server and keycloak both are standalone.
6:10 a.m.
New subject: What can bring this error "failed to turn code into token" over and over again?
I finally figure it out for my case as below:
My case:
The web app url is : http://ourhost.com/hello/index.html the auth server is
https://ourhost.com/auth
My configuration:
"auth-server-url":
"https://ourhost.com/auth","auth-server-url-for-backend-requests":
"http://localhost/auth"
On Wednesday, January 20, 2016 5:33 PM, Mai Zi <ornot2008(a)yahoo.com> wrote:
Hi,
In the user guide can find these :
For cluster setup, it may be even better to use
option auth-server-url-for-backend-request . This allows to configure that backend
requests between Keycloak and your application will be sent directly to same cluster host
without additional round-trip through loadbalancer. So for this, it's good to
configure values inWEB-INF/keycloak.json like this:"auth-server-url":
"/auth",
"auth-server-url-for-backend-requests":
"http://${jboss.host.name}:8080/auth"
but I can not understand it yet. Suppose my case, is there any recommendation ?
(BTW: I found the reply will be listed in a separated thread when reply from email. I
am very sorry. )
On Wednesday, January 20, 2016 5:16 PM, Alexander Schwartz
<alexander.schwartz(a)gmx.net> wrote:
Hi, I am not sure what you mean with "the round trip" here. My recommendation
is that auth-server-url should always contain a fully qualified URL. I have actually never
tried to use it without a fully qualified URL. If you choose not to use a fully qualified
URL in auth-server-url, you *must* set auth-server-url-for-backend-requests for a fully
qualified URL (including protocol, host, etc.) I believe you are operating keycloak and
wildfly behind a reverse proxy (maybe nginx?) Best regards,Alexander --
Alexander Schwartz (alexander.schwartz(a)gmx.net)
http://www.ahus1.de Gesendet: Mittwoch, 20. Januar 2016 um 09:57 Uhr
Von: "Mai Zi" <ornot2008(a)yahoo.com>
An: "Alexander Schwartz" <alexander.schwartz(a)gmx.net>, Keycloak-user
<keycloak-user(a)lists.jboss.org>
Betreff: Re: Aw: [keycloak-user] What can bring this error "failed to turn code into
token" over and over again?Hi, Alexander, We deploy the client application server
(wildfly) and auth server (keycloak) in the same machine. The web app url is :
http://ourhost.com/hello/index.html the auth server is
https://ourhost.com/auth then the setup in keycloak.json should be :
"auth-server-url": "/auth",
"auth-server-url-for-backend-requests": "https://ourhost/auth"
This can reduce the round trip? Thanks a lot
On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz
<alexander.schwartz(a)gmx.net> wrote: During the last phase of OAuth negotation the
client application (here: wildfly) will contact the oauth server (here: keycloak) to
change the code into a token. In order to work the client application (here: wildfly) must
be able to contact the keycloak server using the auth-server-url given in
keycloak.json. If this URL is only accessible browsers from external / via a load
balancer, and client application should use a different (direct) URL to reach the keycloak
server you can specify auth-server-url-for-backend-requests in your keycloak.json Best
regards,Alexander --
Alexander Schwartz (alexander.schwartz(a)gmx.net)
http://www.ahus1.de Gesendet: Mittwoch, 20. Januar 2016 um 05:23 Uhr
Von: "Mai Zi" <ornot2008(a)yahoo.com>
An: Keycloak-user <keycloak-user(a)lists.jboss.org>
Betreff: [keycloak-user] What can bring this error "failed to turn code into
token" over and over again?We get lots of errors like this: 2016-01-20 12:02:37,441
ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn
code into token: java.net.SocketException: Connection timed out and which makes the login
slow or failed . We are using keycloak 1.7.0 final and broke a SAML 2.0 IDP (ADFS). The
wildfly app server and keycloak both are standalone.
3264
days inactive
3264
days old
1 comments
1 participants
participants (1)
-
Mai Zi