Right now, code is saved as a note in AuthenticatedClientSessionModel before AuthorizationRequest is redirected to the application and this note is then compared once code-to-token request is received from the application.
There are issues with concurrent SSO login of same client now (case when user has multiple browser tabs and opens concurrently http://localhost:8080/auth/admin at the same time). This should be improved. Rather we need to have the code as JWT and the list of expired codes.
Test: ConcurrentLoginTest and ConcurrentLoginClusterTest should work even if it uses same clients in all threads (Right now, each thread need to have separate set of clients to have test passing)