Hi all,
I have keycloak v26 running on a single pod, behind nginx. When I login to my app, it authenticates user’s jwt token. At first try, after I write my email and click login button it returns 401 page (“failed to exchange OAuth2 authorization code”), then after I refresh the page it logins successfully. I don’t want to retry on the app, trying to find the root cause. I tried several solutions as below, none of them fixed the issue.
- In the backend, Set validateAfterInactivity(2s) on TracingClientConnectionManager so stale connections are detected before reuse. Reduced connectionTimeToLive from 60s to 45s (15s safety margin below nginx default 60s keepalive). Enabled background eviction of expired and idle (>30s) connections.
- Increased client header buffer size on nginx, google + oidc url cookies might cause the bug.
- Increased the parRequestUriLifespan on keycloak
Additionally, Keycloak gets “cookie_not_found” error when I see 401. KC has a retry mechanism (it uses the KC_RESTART cookie). It is likely what is being used to authenticate after the refresh.
Are there any suggestions?