Hi, I’m new using keycloak and I’m having some troubles running keycloak.
I’m running a keycloak cluster in a aws ecs behind a alb, and I configured a realm with two identity provider (google and another oidc). With google every thing works fine, but with the other a lot of times the users get to error page. This is the log:
ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-18) Failed to make identity provider oauth callback: java.net.SocketTimeoutException: Read timed out
at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:277)
at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:216)
at org.keycloak.keycloak-server-spi-private@15.0.2//org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:208)
at org.keycloak.keycloak-services@15.0.2//org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:500
I couldn’t find a way to change the socket timeout.
Keycloak version 15.0.2
Thanks for the reply. It’s reachable because some times the user can login. But i don’t know with this error is related with some network problem or it’s some miss configuration, like some handshake problem with the redirect uri.
You’ll need to set the log level on Wildfly configuration.
You can run keycloak on your personal machine, do the modifications below, stop the container and create a new image from it. Push this container to a place where ECS can see it. Instructions on how to do that here (https://www.sentinelone.com/blog/create-docker-image/)
To do the modifications, two options:
1.1 - edit /opt/jboss/keycloak/standalone/configuration/standalone.xml, create entries to set the desired log levels.
1.2 - stop the container
1.3 - commit and create a new image from it
2 - exec a bash into the running container, create an administrative console user with /opt/jboss/keycloak/bin/add-user.sh
2.1 Access administrative console (normally on port 9990). Set the desired log levels there.
2.2 stop the container
2.3 commit and create a new image from it
You now have a new image of keycloak capable of tracing HTTP requests. To activate it, run the container in ECS with environment variable
JAVA_OPTS=-Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.SimpleLog
I suppose it would be a good ideia to test this on your machine before sending to ECS check for problems in the above steps.