Hello! In our application we are using a Keycloak SAML client to authenticate back to a Spring monolith project. Currently we see an issue where soon after landing on our Spring application after a successful authentication the user can click the browser back button and land on the Keycloak redirect page.
Most of the time we see a message of you are already logged in. However, sometimes on Chrome a new session seems to be started with a new tabId. The Keycloak logs show an expired_code and restart_after_timeout of true:
2024-04-18 22:26:12,003 WARN [org.keycloak.events] (executor-thread-512) type="LOGIN_ERROR", realmId="cf024f35-2269-4d8b-8989-8cf914cb361f", clientId="null", userId="null", ipAddress="192.168.XX.XX", error="expired_code", restart_after_timeout="true"
Due to this and the fact we have a hard limit on single sessions in our Spring application we end up closing the Spring session and trying to start a new one which causes a lot of issues.
The Keycloak Server itself is hosted in an EKS cluster as a Docker deploy but with no reverse proxy or load balancer.
I found this other topic but it is talking about a reverse proxy. Keycloak behind reverse proxy sends expire_code - #14 by sebastienm
Any thoughts on why this may happen could be helpful. Thank you!