When authenticating against AM using stateless trees behind a load balancer, AM returns a misleading error message
"Invalid Session Timed out"
This happens if the AuthID token is sent to a different AM host than the one that created it.
High-level steps to reproduce the error
- Set up at least two identical AM instances behind a load balancer without sticky sessions or two separate AM instance and manually post to each one
- Set trees to use JWT stateless sessions
- Call AM1 tree and it returns the callbacks with AuthID
- Post the filled in callbacks with AuthID to AM2
- AM then throws "Invalid Session Timed out"
package com.sun.identity.authentication.service authutils.java