Hi, Alexander,    We deploy the  client application server (wildfly) and auth server (keycloak) in the same machine.      The  web app url is :     http://ourhost.com/hello/index.html   the  auth server is        https://ourhost.com/auth   then the setup in keycloak.json should be :    "auth-server-url": "/auth", "auth-server-url-for-backend-requests": "https://ourhost/auth"   This can reduce the round trip? Thanks a lot  On Wednesday, January 20, 2016 3:56 PM, Alexander Schwartz <alexander.schwartz(a)gmx.net&gt; wrote: During the last phase of OAuth negotation the client application (here: wildfly) will contact the oauth server (here: keycloak) to change the code into a token. In order to work the client application (here: wildfly) must be able to contact the keycloak server using the auth-server-url given in keycloak.json. If this URL is only accessible browsers from external / via a load balancer, and client application should use a different (direct) URL to reach the keycloak server you can specify auth-server-url-for-backend-requests in your keycloak.json Best regards,Alexander -- Alexander Schwartz (alexander.schwartz(a)gmx.net) http://www.ahus1.de  Gesendet: Mittwoch, 20. Januar 2016 um 05:23 Uhr Von: "Mai Zi" <ornot2008(a)yahoo.com&gt; An: Keycloak-user <keycloak-user(a)lists.jboss.org&gt; Betreff: [keycloak-user] What can bring this error "failed to turn code into token" over and over again?We get lots of errors like this: 2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out  and which makes the login slow or failed .  We are using keycloak 1.7.0 final  and broke a SAML 2.0 IDP (ADFS).  The wildfly app server  and keycloak both are standalone.