Failed to make identity provider oauth callback

Hello,

I am getting a timeout error sometimes when authenticating with microsoft as my identity provider. It is weird because sometimes it does work and I end up authenticated, but other times it shows me a 504 Gateway Time-out error and says that the server didn’t respond in time. The keycloak logs say the following:

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-12) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to login.microsoftonline.com:443 [login.microsoftonline.com/40.126.28.14, login.microsoftonline.com/40.126.28.13, login.microsoftonline.com/40.126.28.21, login.microsoftonline.com/40.126.28.19, login.microsoftonline.com/40.126.28.22, login.microsoftonline.com/40.126.7.32, login.microsoftonline.com/40.126.28.20, login.microsoftonline.com/40.126.7.35] failed: Connection timed out (Connection timed out)

I configured the identity provider as follows:

"identityProviders": [
        {
            "alias": "microsoft",
            "displayName": "Microsoft SSO",
            "internalId": "*****",
            "providerId": "oidc",
            "enabled": true,
            "updateProfileFirstLoginMode": "on",
            "trustEmail": true,
            "storeToken": true,
            "addReadTokenRoleOnCreate": true,
            "authenticateByDefault": false,
            "linkOnly": false,
            "firstBrokerLoginFlowAlias": "first broker login",
            "config": {
                "validateSignature": "false",
                "acceptsPromptNoneForwardFromClient": "true",
                "clientId": "*******",
                "tokenUrl": "https://login.microsoftonline.com/****/oauth2/v2.0/token",
                "uiLocales": "true",
                "jwksUrl": "https://login.microsoftonline.com/****/discovery/v2.0/keys",
                "backchannelSupported": "true",
                "useJwksUrl": "true",
                "loginHint": "true",
                "authorizationUrl": "https://login.microsoftonline.com/****/oauth2/v2.0/authorize",
                "clientAuthMethod": "client_secret_post",
                "disableUserInfo": "false",
                "logoutUrl": "https://login.microsoftonline.com/****/oauth2/v2.0/logout",
                "syncMode": "IMPORT",
                "clientSecret": "**********",
                "defaultScope": "profile email"
            }
        }
    ],

I figured the problem could be related to keycloak trying to access microsoft without going through the corporate proxy, so I added the following commands to the Dockerfile I use for my Keycloak Container:

“-Dhttp.proxyHost=http://my.corporate.proxy.com”,
“-Dhttp.proxyPort=8080”

and also added a proxy mapping to the standalone.xml file like so:

<spi name="connectionsHttpClient">
    <provider name="default" enabled="true">
        <properties>
            <property name="proxy-mappings" value="[&quot;.*;http://my.corporate.proxy.com:8080&quot;]" />
        </properties>
    </provider>
</spi>

However this did not help. What am I missing?

Try to use https proxy, because you are using https protocol:

-Dhttps.proxyHost=http://my.corporate.proxy.com
-Dhttps.proxyPort=8080

IMHO you can use JAVA_OPTS_APPEND env variable for official image Docker Hub - you don’t need to build own image.

That makes sense, thank you! :slight_smile:

I added them with JAVA_OPTS_APPEND and they do show up as JAVA_OPTS when starting the container. However this did not fix the issue, I still get the timeout error sometimes.

I activated the DEBUG log level and I see this log when the authentication fails:

11:24:06,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
11:24:06,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
11:24:06,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
11:24:06,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
11:24:06,467 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1691/0x0000000841612440
11:24:08,159 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) new JtaTransactionWrapper
11:24:08,159 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) was existing? false
11:24:08,161 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-18) PKCE non-supporting Client
11:24:08,161 DEBUG [org.keycloak.services.util.CookieHelper] (default task-18) AUTH_SESSION_ID cookie found in the request header
11:24:08,161 DEBUG [org.keycloak.services.util.CookieHelper] (default task-18) AUTH_SESSION_ID cookie found in the cookie field
11:24:08,161 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-18) Found AUTH_SESSION_ID cookie with value b6162fed-f16f-4983-8713-dfad47866a83.fv-keycloak-dbs-1-tw6sq
11:24:08,161 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-18) Sent request to authz endpoint. Root authentication session with ID 'b6162fed-f16f-4983-8713-dfad47866a83' exists. Client is 'express-server' . Created new authentication session with tab ID: R2Q7PdUg-2c
11:24:08,162 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-18) AUTHENTICATE
11:24:08,162 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-18) AUTHENTICATE ONLY
11:24:08,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) processFlow: browser
11:24:08,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
11:24:08,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) authenticator: auth-cookie
11:24:08,162 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-18) Going through the flow 'browser' for adding executions
11:24:08,162 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-18) Going through the flow 'forms' for adding executions
11:24:08,162 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-18) Selections when trying execution 'auth-cookie' : [ authSelection - auth-cookie,  authSelection - identity-provider-redirector,  authSelection - auth-username-password-form]
11:24:08,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) invoke authenticator.authenticate: auth-cookie
11:24:08,162 DEBUG [org.keycloak.services.util.CookieHelper] (default task-18) Could not find cookie KEYCLOAK_IDENTITY, trying KEYCLOAK_IDENTITY_LEGACY
11:24:08,162 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-18) Could not find cookie: KEYCLOAK_IDENTITY
11:24:08,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) authenticator ATTEMPTED: auth-cookie
11:24:08,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) check execution: 'identity-provider-redirector', requirement: 'ALTERNATIVE'
11:24:08,162 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) authenticator: identity-provider-redirector
11:24:08,162 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-18) Going through the flow 'browser' for adding executions
11:24:08,163 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-18) Going through the flow 'forms' for adding executions
11:24:08,163 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-18) Selections when trying execution 'identity-provider-redirector' : [ authSelection - identity-provider-redirector,  authSelection - auth-username-password-form]
11:24:08,163 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) invoke authenticator.authenticate: identity-provider-redirector
11:24:08,163 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) authenticator ATTEMPTED: identity-provider-redirector
11:24:08,163 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) check execution: 'forms flow', requirement: 'ALTERNATIVE'
11:24:08,163 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) processFlow: forms
11:24:08,163 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) check execution: 'auth-username-password-form', requirement: 'REQUIRED'
11:24:08,163 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) authenticator: auth-username-password-form
11:24:08,163 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-18) Going through the flow 'browser' for adding executions
11:24:08,163 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-18) Going through the flow 'forms' for adding executions
11:24:08,163 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-18) Selections when trying execution 'auth-username-password-form' : [ authSelection - auth-username-password-form]
11:24:08,163 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-18) invoke authenticator.authenticate: auth-username-password-form
11:24:08,163 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) new JtaTransactionWrapper
11:24:08,163 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) was existing? true
11:24:08,163 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper  commit
11:24:08,163 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper end
11:24:08,163 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper resuming suspended
11:24:08,167 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper  commit
11:24:08,167 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper end
11:24:09,075 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) new JtaTransactionWrapper
11:24:09,075 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) was existing? false
11:24:09,076 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-18) Sending authentication request to identity provider [microsoft].
11:24:09,077 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-18) Will use client 'express-server' in back-to-application link
11:24:09,077 DEBUG [org.keycloak.services.util.CookieHelper] (default task-18) AUTH_SESSION_ID cookie found in the request header
11:24:09,077 DEBUG [org.keycloak.services.util.CookieHelper] (default task-18) AUTH_SESSION_ID cookie found in the cookie field
11:24:09,077 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-18) Found AUTH_SESSION_ID cookie with value b6162fed-f16f-4983-8713-dfad47866a83.fv-keycloak-dbs-1-tw6sq
11:24:09,077 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) new JtaTransactionWrapper
11:24:09,077 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) was existing? true
11:24:09,077 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper  commit
11:24:09,078 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper end
11:24:09,078 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper resuming suspended
11:24:09,078 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-18) Authorization code is valid.
11:24:09,078 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) new JtaTransactionWrapper
11:24:09,078 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) was existing? true
11:24:09,079 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper  commit
11:24:09,079 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper end
11:24:09,079 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper resuming suspended
11:24:09,079 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-18) Identity provider [org.keycloak.broker.oidc.OIDCIdentityProvider@794f4780] is going to send a request [org.jboss.resteasy.specimpl.BuiltResponse@3971e691].
11:24:09,080 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper  commit
11:24:09,080 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) JtaTransactionWrapper end
11:24:09,321 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) new JtaTransactionWrapper
11:24:09,321 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-18) was existing? false
11:24:11,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
11:24:11,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
11:24:11,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
11:24:11,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
11:24:11,467 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1691/0x0000000841612440
11:24:16,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
11:24:16,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
11:24:16,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
11:24:16,468 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
11:24:16,468 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1691/0x0000000841612440
11:24:21,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
11:24:21,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
11:24:21,467 DEBUG [org.keycloak.models.sessions.infinispan.changes.sessions.PersisterLastSessionRefreshStore] (Timer-2) Updating 0 userSessions with lastSessionRefresh: 1617967401
11:24:21,468 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
11:24:21,468 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
11:24:21,468 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1691/0x0000000841612440
11:24:26,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
11:24:26,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
11:24:26,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
11:24:26,467 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
11:24:26,467 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1691/0x0000000841612440
11:24:31,468 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
11:24:31,468 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
11:24:31,468 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper  commit
11:24:31,468 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
11:24:31,468 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$1691/0x0000000841612440

And this:

11:22:05,157 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-2) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to login.microsoftonline.com:443 [login.microsoftonline.com/20.190.160.134, login.microsoftonline.com/20.190.160.129, login.microsoftonline.com/20.190.160.6, login.microsoftonline.com/20.190.160.132, login.microsoftonline.com/20.190.160.136, login.microsoftonline.com/20.190.160.2, login.microsoftonline.com/20.190.160.71, login.microsoftonline.com/20.190.160.4] failed: Connection timed out (Connection timed out)
	at org.apache.httpcomponents.core//org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:156)
	at org.apache.httpcomponents.core//org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.httpcomponents.core//org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.httpcomponents.core//org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at org.apache.httpcomponents.core//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at org.keycloak.keycloak-server-spi-private@12.0.4//org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:277)
	at org.keycloak.keycloak-server-spi-private@12.0.4//org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:216)
	at org.keycloak.keycloak-server-spi-private@12.0.4//org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:208)
	at org.keycloak.keycloak-services@12.0.4//org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:473)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:543)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:432)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:393)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:395)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:364)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:150)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:110)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:141)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:104)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:245)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:61)
	at org.jboss.resteasy.resteasy-jaxrs@3.13.2.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	at javax.servlet.api@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
	at org.keycloak.keycloak-wildfly-extensions@12.0.4//org.keycloak.provider.wildfly.WildFlyRequestFilter.lambda$doFilter$0(WildFlyRequestFilter.java:41)
	at org.keycloak.keycloak-services@12.0.4//org.keycloak.services.filters.AbstractRequestFilter.filter(AbstractRequestFilter.java:43)
	at org.keycloak.keycloak-wildfly-extensions@12.0.4//org.keycloak.provider.wildfly.WildFlyRequestFilter.doFilter(WildFlyRequestFilter.java:39)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at org.wildfly.extension.undertow@21.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.core@2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at io.undertow.core@2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.core@2.2.2.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.core@2.2.2.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
	at io.undertow.core@2.2.2.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
	at io.undertow.core@2.2.2.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at io.undertow.core@2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow@21.0.2.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.core@2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow@21.0.2.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
	at io.undertow.core@2.2.2.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at org.wildfly.extension.undertow@21.0.2.Final//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
	at org.wildfly.extension.undertow@21.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
	at org.wildfly.extension.undertow@21.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
	at org.wildfly.extension.undertow@21.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
	at org.wildfly.extension.undertow@21.0.2.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
	at io.undertow.servlet@2.2.2.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
	at io.undertow.core@2.2.2.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
	at io.undertow.core@2.2.2.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at org.jboss.xnio@3.8.2.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
	at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
	at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
	at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
	at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
	at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.base/java.net.Socket.connect(Socket.java:609)
	at org.apache.httpcomponents.core//org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:368)
	at org.apache.httpcomponents.core//org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	... 90 more

¯\(ツ)/¯ Go to container directly and test connectivity manually (with/without proxy, telnet, curl, …). Your infrastructure, so only you have access and only you can test and only you should to know what’s there (sec. group, firewall, proxy, auth, …)

We also see this problem. Most of the time everything works fine but the error happens from time to time. We used Spring security before and never had similar issue.

You also had the problem with microsoft as identity provider? Did you find a way to solve the issue?

No, we don’t use Microsoft. I did not find a way to reproduce it. atm I have no idea what it could be

The problem was that I didn’t configure the proxy mapping in standalone-ha.xml

https://www.keycloak.org/docs/latest/server_installation/#_proxymappings