Failed to make identity provider oauth callback: SocketTimeoutException: Read timed out

Hi, I’m new using keycloak and I’m having some troubles running keycloak.
I’m running a keycloak cluster in a aws ecs behind a alb, and I configured a realm with two identity provider (google and another oidc). With google every thing works fine, but with the other a lot of times the users get to error page. This is the log:

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-18) Failed to make identity provider oauth callback: java.net.SocketTimeoutException: Read timed out
	at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:277)
	at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:216)
	at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:208)
	at org.keycloak.keycloak-services@15.0.2//org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:500

I couldn’t find a way to change the socket timeout.
Keycloak version 15.0.2

As you may know, Keycloak needs to do a POST request to your identity provider (in the authorization URL) to exchange code for access_token.

You should make a test to check if the OIDC provider is reachable from a container running in ECS.

Not sure how you’d do that, though.

Thanks for the reply. It’s reachable because some times the user can login. But i don’t know with this error is related with some network problem or it’s some miss configuration, like some handshake problem with the redirect uri.

I put a internet gateway into the private subnet.

You can enable logging of HTTP requests made my keycloak using as commented here:
https://keycloak.discourse.group/t/quick-tip-logging-outgoing-http-requests-in-keycloak-server/10928

On ECS, it should be a little more tricky.

You’ll need to set the log level on Wildfly configuration.

You can run keycloak on your personal machine, do the modifications below, stop the container and create a new image from it. Push this container to a place where ECS can see it. Instructions on how to do that here (https://www.sentinelone.com/blog/create-docker-image/)

To do the modifications, two options:

1.1 - edit /opt/jboss/keycloak/standalone/configuration/standalone.xml, create entries to set the desired log levels.
1.2 - stop the container
1.3 - commit and create a new image from it

2 - exec a bash into the running container, create an administrative console user with /opt/jboss/keycloak/bin/add-user.sh
2.1 Access administrative console (normally on port 9990). Set the desired log levels there.
2.2 stop the container
2.3 commit and create a new image from it

You now have a new image of keycloak capable of tracing HTTP requests. To activate it, run the container in ECS with environment variable
JAVA_OPTS=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.SimpleLog

I suppose it would be a good ideia to test this on your machine before sending to ECS check for problems in the above steps.

Thanks, this helped a lot.

1 Like