While running a CA Access Gateway (SPS) in OIDC journey, and the user tries to authenticate, the Policy Server receives an error:

{"error":"invalid_grant","error_description":"Authorization code expired."}

The code value seems to be correctly sent to the /token endpoint.

CA Access Gateway (SPS) 12.8.x 
Policy Server 12.8.x

The error appears when reaching oidcendpoint.example.com:

00:00:09.704     0.069 1063 1960 GET  Redirect to https://example.com:9443/affwebservices/CASSO/oidc/myEndPoint/authorize?SMASSERTIONREF=QUERY&scope=openid+profile&state=<state>&response_type=code&client_id=<endpointID>&redirect_uri=http%3A%2F%2Fexample.com%3A8080%2Fauth%2Frealms%2Fbroker%2F<endpoint>Name%2Fendpoint&nonce=SDF44dasdsd-sAs_Dwss_dsds https://sps.example.com:9443/affwebservices/secure/secureredirect?scope=openid+profile&state=<state>&response_type=code&client_id=<clientId>&redirect_uri=http%3A%2F%2Foidcendpoint.example.com%3A8080%2Fauth%2Frealms%2Fbroker%2FmyendpointName%2Fendpoint&nonce=<nonce>&SMPORTALURL=dss4df4asd41w55asd212dsa%2B9FtuLvWnZpLQRDkMvChhVT7Fd1VR8w8y1g9NsObGb2MkovLwX0mS7YsgqR8sfAYPmUuGzHIFF1R1wPm4bkTUdy%2FW4NRTqM3tSicOCVP2uinl6pcKVmi%2FOTlUFKswKBrtvMsY9%2FFx

00:00:09.836     0.047 2043 519  GET  Redirect to http://oidcendpoint.example.com:8080/auth/realms/broker/myendpointName/endpoint?nonce=<nonce>&code=<code>&state=<state> https://sps.example.com:9443/affwebservices/CASSO/oidc/<endPoint>/authorize?SMASSERTIONREF=QUERY&scope=openid+profile&state=<state>&response_type=code&client_id=<clientId>&redirect_uri=http%3A%2F%2Foidcendpoint.example.com%3A8080%2Fauth%2Frealms%2Fbroker%2FmyendpointName%2Fendpoint&nonce=<nonce>

00:00:09.920  1  0.301 2760 2092 GET  html http://oidcendpoint.example.com:8080/auth/realms/broker/<endpoint>/Name/endpoint?nonce=<nonce>&code=<code>&state=<state>

FWSTrace.log

[08/14/2020][08:42:56][][][][TokenService.java][doValidateAccessTokenRequestAndSetContext][redirect_uri=oidcendpoint.example.com:8080/auth/realms/broker/<endPoint>/Name/endpoint]
[08/14/2020][08:42:56][][][][OpenIDConnectServiceBase.java][sendJSONErrorResponse][ Sending error JSON message: {"error":"invalid_grant","error_description":"Authorization code expired."} with error code:400]

And the Policy Server reports an error about the expiring time set first to the az_code and the current time on the machine:  

smtracedefault.log

[08/14/2020][08:42:56.248][08:42:56][][][SmSSProvider.cpp:454][CSmSSProvider::GenerateSessionId][][][][][][][][][][][][][<value>][][][][][][][][Leave function CSmSSProvider::GenerateSessionId][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[08/14/2020][08:42:56.404][08:42:56][][][LdapStore.cpp:1558][QueryObject][][][][][][][][][][][][][][][][][][][][][Querying for object 'smSessionId=<value>,o=example,c=com', (filter:" <n/a> ")][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[08/14/2020][08:42:56.404][08:42:56][][][SmDsLdapProvider.cpp:2365][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Retrieving attributes for: 'cn=<user>,dc=example,dc=com', Filter: 'objectclass=* '. Status: 1 matching objects.][][Ldap Search callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[08/14/2020][08:42:56.404][08:42:56][][][Sm_Auth_Message.cpp:5405][CSm_Auth_Message::FormatAttribute][s6568/r524][<OIDC-Provider>][][<name>][][<OIDC-Az>][<OIDC-Provider>][<User-Store>][][][][][][][][][][][][<value>][Send response attribute 205, data size is 28][][][][][][][][Anonymous Template][][][][][][][cn=<user>,dc=example.dc=com][][][][][][][][][][][][][Login][][][][][][][][][][]

[08/14/2020][08:42:56.419][08:42:56][][][AuthorizationResponseGenerator.java][getConfig][dsadsd4d4s-dsaddsad-dsagfd-asdsde-524fd-fdsadfas-fd22][][][][][][][][][][][][][][][][][][][][ before return, map:: {SMASSERTIONREF=QUERY, USER_DIR_OID=<user_dir_oid>, scope=openid profile, USER_AUTHENTICATION_TIME=1597383776, response_type=code, state=<state>, redirect_uri=http://oidcendpoint.example.com:8080/auth/realms/Testing-Realm/broker/keycloak-oidc/endpoint, authenticationURL=https://oidcendpoint.example.com:9443/affwebservices/CASSO/oidc/<endPoint>/authorize, Oid=null, nonce=<nonce>, client_id=<clientId>}][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[08/14/2020][08:42:56.419][08:42:56][][][AuthorizationResponseGenerator.java][persistDataForAccessTokenEndPoint][][][][][][][][][][][][][][][][][][][][][azCodeExpiry (in seconds) 300][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[08/14/2020][08:42:56.419][08:42:56][][][OIDCSessionManager.java][updateDataForAzCode][][][][][][][][][][][][][][][][][][][][][ Create new session store entry for az_code ][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[08/14/2020][08:42:56.419][08:42:56][][][OIDCSessionManager.java][updateDataForAzCode][][][][][][][][][][][][][][][][][][][][][InternalData that is used to generate JSON before encryption:: OpenID ConnectInternalData [azCode=<authorizationCode>, clientId=<clientId>, userId=cn=<user>,dc=example.dc=com, redirectURI=http://oidcendpoint.example.com:8080/auth/realms/broker/<endPoint>/Name/endpoint, scope=openid profile, authTime=1597383776, userDirectoryOID=<oid> isRevoked=false, nonce=<nonce>, refreshTokenIssuedTime=0, tokenIssuedTime=0]][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]1597383776 : Fri, 14 Aug 2020 05:42:56 GMT

[08/14/2020][08:42:56.560][08:42:56][][][CServer.cpp:6557][CServer::Tunnel][][][][][][][][][][][][][][][10.0.0.1][][][][Lib='smjavaapi', Func='JavaTunnelService', Params='com.ca.federation.openidconnect.tunnel.AccessTokenTunnelService', Server='', Device=''][][Resolved all the input parameters][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[08/14/2020][08:42:56.560][08:42:56][][][AccessTokenTunnelService.java][tunnel][][][][][][][][][][][][][][][][][][][][][OpenIDConnectAccessTokenRequestData: AccessTokenRequest [authorizationCode=<authorizationCode>, authorizationHeader=null, clientID=<endPoint>, grantType=authorization_code, redirectURI=http://sps.example.com:8080/auth/realms/broker/<endPoint>/Name/endpoint, codeVerifier=null, commonData=requestId: <requestId>, serviceVersion: 0, serviceMinimumVersion: 0, fedApiVersion: 1]][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[08/14/2020][08:42:56.560][08:42:56][][][AccessTokenTunnelService.java][tunnel][][][][][][][][][][][][][][][][][][][][][CodeExpiry retrieved from SessionStore: 1597383694][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 1597383694 : Fri, 14 Aug 2020 05:41:34 GMT

[08/14/2020][08:42:56.560][08:42:56][][][AccessTokenTunnelService.java][tunnel][][][][][][][][][][][][][][][][][][][][][ Check for az_code expiry with current time][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[08/14/2020][08:42:56.560][08:42:56][][][AccessTokenTunnelService.java][returnErrorResponse][][][][][][][][][][][][][][][][][][][][][CODE_EXPIRED][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[08/14/2020][08:42:56.560][08:42:56][][][AccessTokenTunnelService.java][prepareErrorResponse][][][][][][][][][][][][][][][][][][][][][Preparing error response with errorcode: INVALID_GRANT, errorMessage:CODE_EXPIRED][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 
Increase the authorization code validity period which resolved the problem. 

In the OIDC provider configuration, this can be configured with the property:

  "Authorization Code Expiry Time"

which is by default 1 minute.

Ensure time services on all machines are working as expected.