[keycloak-user] State mismatch on oidc-client login

We have a realm with an openid-connect client configured to provide authentication for an application using Keycloak. The application is using the Keycloak hosted login page to handle auth redirects. We have this working well except that when one stays on the login page a little longer, the authentication attempt fails with a state mismatch error. We understand the protection this provides. To handle it gracefully, we redirect the user back to login when the mismatch is detected. This creates a weird user experience, where the user just entered their credentials and seemingly nothing happened the first time but succeeds the second time. Have not been able to figure out how to do the following (1) Pass some parameter indicating that the mismatched state happened so that when we get back to the login redirect the second time, we can use the parameter to trigger an appropriate message on the login page (through customizing the theme) to indicate that the user took too long to login. We have tried adding URL parameters when redirecting back to login but this has not worked since these get stripped. (2) What setting in Keycloak determines how long the state parameter from the login redirect is valid. Played with long values for "Client login timeout", "Login timeout", "Login action timeout" under Tokens in the Realm but none of these seems to help. Any advice would be much appreciated. Thanks, -Georgi