Hi, I have an AWS ALB doing OIDC auth with Keycloak on a new service.
We went live this morning (whoop!) and have been seeing a very occasional problem (16 from 209 logins) where the user logs in and the ALB reports a 401 error when it should 302 on to the application.
The “text” of the error is AuthInvalidStateParam.
(URL like : GET https://site.uk:443/oauth2/idpresponse?state=QvOwWFKiVQwpWkED…%3D&session_state=496a1080…69c5&code=183ac…8ea-bff9b9e82c05 with …s added by me to make it short!)
If the user goes back to the root of the application (site.uk), they are redirected back to keycloak, which detects their existing session, passes them back to the ALB and they have a new state, same “session_state” and new “code” up to the first . and they are allowed in fine.
There are no errors being logged by Keycloak. There is only a single KC node at present, although we do have DNS_ping etc. set up to allow for scaling.
Any ideas??