Thank you all your patience as we investigated this.
We reproduced the issue and identified that the 401 error occurs when the browser-side authentication cookie expires before the user completes login. As a mitigation, we increased the timeout from 10 minutes to 60 minutes across all GitLab.com environments and confirmed this resolved the reproducible scenario. However, after monitoring production logs, the overall error rate did not change significantly, indicating that the remaining errors are driven by a condition we have not been able to reproduce.
After further investigation, our team was unable to find any other way to trigger the error. Because browsers do not send expired cookies, the server has no session information to recover, and there is no additional solution available to test. A deeper change to the OAuth flow would carry security ramifications and engineering risk for a condition we cannot reproduce or validate.
The authCookieSessionTimeout setting is available via Charts configuration. Increasing this value will address the idle login scenario.
As a result, we are marking this issue as wontfix and Closing. If you discover any other way to reproduce this error, we are happy to reopen the investigation. I've also added this comment at the top of the Issue description.
CC: @kivikakk @ngala @khanmansoor @guillene @dailyherold @armin.pasalic
Closing this as it's not a planned priority in the coming quarters. This can always be re-opened if prioritization shifts.