I have two setups.
The first one has Keycloak instance installed on a VM and Tomcat instance installed on my local laptop. When I start Tomcat and try to access my webapp using http://127.0.0.1:8080/my_app all works as expected: browser redirects me to Keycloak sign in page, then I can authenticate and keycloak redirects me back to my app.
The second setup is a bit different: I have the same Keycloak instance as in the first setup (1st VM), Tomcat installed on a separate VM (2nd VM) and I try accessing my webapp using http://tomcat.ip:8080/my_app from my laptop. In this case browser also redirects me to Keycloak sign in page, I can successfully sign in and I can see in Keycloak Admin Console that a session is created; however, when Keycloak redirects me back to my app I get an error, and the actual address in the browser address bar is http://tomcat.ip:8080/my_app/login?error
Login with OAuth 2.0
Invalid credentials
There are no any additional messages in catalina.out or Keycloak log.
I'm using Tomcat 9.0.83 and Keycloak 24.0.1. Tomcat configurations are exactly the same, actually the second setup has a copy of Tomcat directory from the first one.
Any ideas how to solve the issue?
It turned out, that time on Keycloak server and remote Tomcat server was not the same. My web app received a token from the future and couldn't validate it.