I have an issue with OKTA OTP validation via java/SpingBoot. Intermittently when our users enter their OTP (after username/password validated) our backend goes to validate the OTP but fails with the following message:
TRACE o.s.s.o.c.w.OAuth2LoginAuthenticationFilter
- Failed to process authentication request
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 408 Request Timeout: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><EOL><html><head><EOL><title>408 Request Timeout</title><EOL></head><body><EOL><h1>Request Timeout</h1><EOL><p>Server timeout waiting for the HTTP request from the client.</p><EOL></body></html><EOL>"
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.getResponse(OidcAuthorizationCodeAuthenticationProvider.java:176)
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:144)
We cannot consistently reproduce it but happens every few mins. However, I ran a wire trace and even though its TLS (with EC so cannot decrypt it post capture 
) it seems from the packet ordering that it’s Okta perhaps sending the 408 back not our app simply not getting a response in time from Okta.
The timeout is consistently 60 seconds. IfI view the conversations and time of the issue in Wireshark I see the following:
**
**
Anything with a duration of >=60+ seconds is an operation the returned the exception message above. You can see this in the full capture here
Note: I have hidden the source/destination (as org specific). The packets highlighted are both from OKTA.
You can see the marked packets showing a 1 min delta then the connection is gracefully closed.
So my question is where the timeout is! In my exception in my log4j trace I have:
- Failed to process authentication request
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 408 Request Timeout: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><EOL><html><head><EOL><title>408 Request Timeout</title><EOL></head><body><EOL><h1>Request Timeout</h1><EOL><p>Server timeout waiting for the HTTP request from the client.</p><EOL></body></html><EOL>
So is this Okta timing out and sending me back that HTML? We had assumed that the issue was we were not getting all the data back from OKTA in time (60 seconds) and moving on but looking at the wire trace it seems like the sequence and acks are in order so that perhaps Okta is timing out on something at it’s end and sending this message back to us! Can anyone advise?