[keycloak-user] State mismatch on oidc-client login

[Georgi Matev]

We have a realm with an openid-connect client configured to provide
authentication for an application using Keycloak. The application is using
the Keycloak hosted login page to handle auth redirects. We have this
working well except that when one stays on the login page a little longer,
the authentication attempt fails with a state mismatch error.

We understand the protection this provides. To handle it gracefully, we
redirect the user back to login when the mismatch is detected. This creates
a weird user experience, where the user just entered their credentials and
seemingly nothing happened the first time but succeeds the second time.

Have not been able to figure out how to do the following

(1) Pass some parameter indicating that the mismatched state happened so
that when we get back to the login redirect the second time, we can use the
parameter to trigger an appropriate message on the login page (through
customizing the theme) to indicate that the user took too long to login. We
have tried adding URL parameters when redirecting back to login but this
has not worked since these get stripped.

(2) What setting in Keycloak determines how long the state parameter from
the login redirect is valid. Played with long values for "Client login
timeout", "Login timeout", "Login action timeout" under Tokens in the Realm
but none of these seems to help.

Any advice would be much appreciated.

Thanks,
-Georgi