@mark-robustelli finally the issue is in FA counts as login attempt the GET request to /oauth2/authorize when user is already logged in on FA side (FA doesn't show login form in this case).
Scenario: user is not logged in, opens our site and is redirected to FA login page with setting OAuth correlation cookies on our domain, FA shows login form, user waits for 2 mins (standard expiration for correlation cookies) and makes POST request with credentials (login count +1). FA is authenticated on FA side now but user can't be validated on our side due to expired correlation cookies and is redirected back with fresh set of correlation cookies again to FA's /oauth2/authorize (login count +1) which already doesn't show login form (user is already authenticated on FA side) and just redirects to our signin-oidc which succeeds this time.
We added refresh of FA login form each 90 seconds in authorize template to refresh correlation cookies but it doesn't help if we enable 2FA and user stucks on entering code step more than 2 mins.
So, is it possible to fix the double counting on FA side?