Nomad behind SSO proxy with automatic authorization

I’m running Nomad behind an Apache proxy that deals with the SSO authorization, and then calls back to Nomad’s /oidc/callback. When a user logs in to the SSO, they reach Nomad but they’re not authorized yet. They still have to go to /ui/settings/tokens and click on the button to sign in with SSO, and only then do they get a token.

This is what the SSO flow looks like right now:

I don’t understand why there’s a request for /v1/acl/token/self that ends in 500 and then another one that ends in 403.

When clicking on the sign in with SSO button, I get redirected to the SSO again, and then there are another two requests to /v1/acl/token/self that fail and finally one that succeeds.

At this point, the user has a valid token.

Is there a way to skip this second step, and get a token directly after finishing the initial SSO flow? My SSO auth-method is marked as default and I’ve tried playing around with multiple different redirect URLs, but nothing seems to work.